​Mac malware inside BitTorrent app, signed with legit Apple developer ID

  • Liam Tung (CSO Online)
  • 31 August, 2016 03:45

If you downloaded the legitimate BitTorrent client for Mac OS over the past few days, you may have installed a nasty backdoor, security experts have warned.

Earlier this year Apple was forced to take action over ransomware known as KeRanger that had been bundled into Transmission, a free and legitimate BitTorrent client for Macs.

The incident was alarming since the Transmission files were signed with a legitimate Apple developer’s certificate, which meant Apple’s GateKeeper security feature wouldn’t have flagged the files as malware. Apple responded by revoking the certificate shortly after it was alerted to the threat.

Now, cybercriminals have been caught using identical tactics to distribute another piece of malware identified by researchers at security firm ESET identify as Keydnap.

According to ESET, Keydnap attempts to steal the content of the keychain in OS X where credentials are stored, which could enable the malware to establish a permanent backdoor.

When ESET discovered the malware in July it wasn’t aware of the exact method it was used to infect Macs, however on Tuesday it discovered the backdoor malware was being distributed within Transmission v2.92.

The security company wasn’t certain when the tainted Transmission file first appeared on the site, however the file’s signing dates suggest it’s only been available for a day or two, around August 28 and August 29.

ESET has provided seven files or directories whose presence would indicate that a Mac has been compromised by the malware. Details of those files can be found here.

“If any of them exists, it means the malicious Transmission application was executed and that Keydnap is most likely running,” ESET noted.

Additionally, the attackers used a slightly different name for the malicious disk image than the legitimate one by adding a hyphen between the name of the app and the version number.

“The malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg,” ESET continued.

ESET said that the developers of Transmission have now removed the malicious file from the site. ESET has also notified Apple about the misused Apple developer certificate.

The code-signing key that was used to sign the malicious version of Transmission is a legitimate Apple certificate, however it was not Transmission’s certificate, which is listed as Digital Ignition LLC, but another developer’s certificate listed as Shaderkin Igor. Regardless, since the compromised certificate has been signed by Apple it will bypass Gatekeeper, ESET notes.

CSO Australia has sought comment from Apple and will update the story if it receives one.

ESET says the Keydnap malware has been updated since its discovery in July to include a standalone Tor client, which allows the malware to more efficiently connect to an encrypted address where it can connect to its command and control server.

The security firm also found some similarities between KeRanger ransomware and Keydnap, which share “astonishingly” similar code that is responsible for dropping and running the malicious payload.