Skip to content

S0276 Keydnap

This piece of malware steals the content of the user’s keychain while maintaining a permanent backdoor 1.

Item Value
ID S0276
Associated Names OSX/Keydnap
Version 1.2
Created 17 October 2018
Last Modified 17 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
OSX/Keydnap 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.001 Setuid and Setgid Keydnap adds the setuid flag to a binary so it can easily elevate in the future.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Keydnap uses HTTPS for command and control.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.006 Python Keydnap uses Python for scripting to execute additional commands.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Keydnap uses a Launch Agent to persist.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.002 Securityd Memory Keydnap uses the keychaindump project to read securityd memory.2
enterprise T1564 Hide Artifacts -
enterprise T1564.009 Resource Forking Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable’s icon assigned by the operating system.1
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture Keydnap prompts the users for credentials.2
enterprise T1036 Masquerading -
enterprise T1036.006 Space after Filename Keydnap puts a space after a false .jpg extension so that execution actually goes through the program.2
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Keydnap uses a copy of tor2web proxy for HTTPS communications.2