Security experts from ESET have spotted the popular BitTorrent client called Transmission distributing Mac malware called OSX/Keydnap that is used to steal the content of OS X’s keychain and maintain a permanent backdoor on victims’PC. This is the second time that the BitTorrent client Transmission has been used to deliver a malicious code. In March the researchers from Palo Alto Networks Unit 42 discovered a malicious campaign reported by Apple customers who were looking for the latest version of Transmission that were infected with a new family of Ransomware that was specifically designed to target OS X installations.
“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.
“During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.” reads the blog post published by ESET.
Transmission has promptly removed the malicious version from the download section, anyway, users who downloaded the client between Sunday and Monday should check if their machine has been comprised.
The Keydnap malware could be used by crooks to establish a backdoor on the compromised machine that can allow them to execute remote commands on the Mac.
Two attacks leveraging the BitTorrent client Transmission, is it a coincidence?
Malware researchers from ESET noted many similarities between the two attacks, for example in both cases the malicious code was added to the main function of the BitTorrent client Transmission. Also in this case, the OSX/Keydnap malicious code was signed with a legitimate code signing key that allows the crooks to bypass the Gatekeeper protection system.
“In both cases, a malicious block of code is added to the main function of the Transmission application,” ESET said. “The code responsible for dropping and running the malicious payload is astonishingly the same. Just like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. It’s different from the legitimate Transmission certificate, but is still signed by Apple and bypasses Gatekeeper protection.”
Experts speculate the Transmission website has been hacked, the attackers uploaded the malicious version of the BitTorrent client Transmission.ESET has notified Apple about the compromised developer certificate.
Experts from ESET has notified Apple about the compromised developer certificate.
(Security Affairs – BitTorrent client Transmission, OSX/Keydnap MAC malware)