S0276 Keydnap
This piece of malware steals the content of the user’s keychain while maintaining a permanent backdoor 1.
| Item | Value |
|---|---|
| ID | S0276 |
| Associated Names | OSX/Keydnap |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 17 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX/Keydnap | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.001 | Setuid and Setgid | Keydnap adds the setuid flag to a binary so it can easily elevate in the future.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Keydnap uses HTTPS for command and control.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | Keydnap uses Python for scripting to execute additional commands.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | Keydnap uses a Launch Agent to persist.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.002 | Securityd Memory | Keydnap uses the keychaindump project to read securityd memory.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.009 | Resource Forking | Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable’s icon assigned by the operating system.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | Keydnap prompts the users for credentials.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.006 | Space after Filename | Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Keydnap uses a copy of tor2web proxy for HTTPS communications.2 |