Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Keydnap

Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
OSX/Keydnap

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .001 Abuse Elevation Control Mechanism: Setuid and Setgid

Keydnap adds the setuid flag to a binary so it can easily elevate in the future.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Keydnap uses HTTPS for command and control.[2]
Enterprise T1059 .006 Command and Scripting Interpreter: Python

Keydnap uses Python for scripting to execute additional commands.[2]
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Keydnap uses a Launch Agent to persist.[2]
Enterprise T1555 .002 Credentials from Password Stores: Securityd Memory

Keydnap uses the keychaindump project to read securityd memory.[2]
Enterprise T1056 .002 Input Capture: GUI Input Capture

Keydnap prompts the users for credentials.[2]
Enterprise T1036 .006 Masquerading: Space after Filename

Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.[2]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Keydnap uses a copy of tor2web proxy for HTTPS communications.[2]

References

  1. Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
  1. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.