A short five months ago, popular Mac BitTorrent client Transmission was discovered to be a carrier for the first “ransomware” malware discovered on the Mac. Now, researchers at security website We Live Security have discovered another strain of malware, called OSX/Keydnap, which was spread temporarily via a recompiled version of the Transmission app, was temporarily available via the app’s official website.
OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.
The researchers say upon discovering the new malware, they notified the Transmission team, who immediately removed the malicious version from their web server, and launched an investigation. It is believed the infected version of Transmission was signed on August 28 and distributed only on August 29. It is recommended that anyone who downloaded version 2.92 of the app between those dates should verify whether their system has been compromised.
Check for the presence of any of the following files or directories:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
MacTrast will keep you posted on any further developments.
