top of page

The Mac Attack Continues: Keydnap Arises

Not so long ago, Apple products were virtually immune from malware and other attacks. This was due to a number of factors, two of which were the closed architecture and a relative lower number of users, as compared with the PC market. To go through the effort to attack the Mac at that point did not make economic sense. The ROI would have been too high. Even at this point, the business of malware was operationalized and monetized. Since then, more people began to use Apple products over time. The number of users began to rise above the break-even point and this platform became profitable for attackers. Many pieces of malware have surfaced since this boom in use of Apple products. One of the latest pieces of malware focused on the Mac is the Keydnap. The origin of this is unknown (Amir, 2016). This Trojan was first seen this year in May and June (Cimpanu, 2016).


This malware was engineered to harvest the user’s login credentials for the Apple keychain (Amir, 2016). The keychain was designed as Apple’s version of a password management system. This may contain, based on the user, account names, passwords, and credit card numbers. Anyone logged into this Apple ID would have full access to all of this information. This has an abundance of data that could be sold, used by the attacker, or for other purposes. This not only provides a single attack but also a continued entry, unfettered, through a back door.


The Keydnap arrives in a seemingly harmless zip file attached to an email. This may be from a strange email, spoofed or hijacked friend’s or family’s email address. After opening the zip file, there is an executable file (Macho-O) that would be opened (Leveille, 2016). Interestingly the extension for this makes the file look to be a text or picture file, with the .txt or .jpg as the extension (Amir, 2016; Masters, 2016). What is not so clear to the user is there is a space located just after the extension (Cimpanu, 2016). This extra, seemingly innocuous little space is anything but safe. This allows the malware to run in the Mac Terminal (Masters, 2016; Leveille, 2016). After this is double-clicked, the user believes the text or image would appear, but does not immediately. While this is in the foreground, the malware is in the background downloading files. One of which is “icloudsyncd”. The additional files use TOR to send and receive reports to and from the malware’s command and control (C&C) center. So far there had been two servers noted at the C&C center (Cimpanu, 2016). This also operates to open a backdoor as the malware seeks the decryption key for the keychain. To achieve its goal also to harvest credentials, this provides a pop-up which allows the user to enter their Apple user ID and password.


Usually malware is meant to be sent to everyone possible so as many users as possible could become infected. This translates into more data to be manipulated, stolen, and viewed by unauthorized parties. In this case however, this was meant more directly for security researchers (Masters, 2016).


This malware can be relatively painful for the user. To remove the potential for malware infection from Keydnap, the advice is the same as from years past. The users should not open files from unknown sources. If there is an attachment from UPS regarding a package that was not ordered and is not expected, this probably should not be opened. If the user receives an email from a friend still with the attachment, the user should be wary and possibly contact the friend to verify that this was indeed sent.


Amir, U. (2016, July 8). Watch out for keydnap malware stealing mac login credentials. Retrieved from

Cimpanu, C. (2016, July 6). Keydnap malware steals keychain passwords, opens backdoor on infected macs. Retrieved from

Leveille, M.-E. (2016, July 6). New OSX keydnap malware is hungry for credentials. Retrieved from

Masters, G. (2016, July 7). Keydnap malware targeting mac users, particularly security researchers. Retrieved from

About the authors-

Charles Parker II has been working in the info sec field for over a decade, in the banking,

medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,

MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security

(ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and


Jeremy Jones is a security engineer at Ciena Healthcare. Jeremy possesses a Bachelor's in

Cybersecurity and uses his knowledge and expertise to improve the security at his current


Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page