Mac Malware Analysis of 2016: KeRanger, Keydnap, and Eleanor

In 2016, several new malware families emerged targeting macOS. This brief examines KeRanger, Keydnap, and Eleanor, detailing their unique characteristics. KeRanger, discovered in March 2016, was the first fully functional ransomware for macOS, distributed via a compromised Transmission application. Keydnap, found in July 2016, is a backdoor and credential stealer that also leveraged a compromised Transmission installer. Eleanor, also appearing in July 2016, is a PHP-based backdoor disguised as a fake application called “EasyDoc Convertor”. These threats highlight the increasing sophistication of macOS malware and the importance of maintaining updated security measures. The compromised Transmission applications underscore supply chain vulnerabilities affecting even legitimate software sources.

Attack Chain

1. Initial Access (KeRanger & Keydnap): Users download a trojanized version of Transmission.app from the official Transmission website, which was compromised by attackers.
2. Execution (KeRanger): The modified Transmission application executes a malicious Mach-O binary (General.rtf renamed to kernel_service) embedded within the application bundle.
3. Execution (Keydnap): The modified Transmission application executes a malicious binary (License.rtf). Alternatively, users may execute a file named screenshot.jpg with a space at the end, triggering execution via Terminal.app.
4. Persistence (Keydnap): Keydnap installs two launch agents: com.apple.iCloud.sync.daemon to execute the backdoor component icloudsyncd, and com.geticloud.icloud.photo to run a Tor2Web proxy (icloudproc).
5. Privilege Escalation (Keydnap): The icloudsyncd binary attempts to elevate privileges by prompting the user for access.
6. Data Exfiltration (Keydnap): The icloudsyncd binary dumps credentials and sensitive information from the keychain using code from the open-source keychaindump project, and communicates with its C2 server via the Tor2Web proxy.
7. Encryption (KeRanger): KeRanger encrypts files under /Users/* and /Volumes/* that match predefined extensions (e.g., .docs, .jpgs, .zips, .cpp).
8. Ransom Demand (KeRanger): KeRanger creates a plaintext readme file in each directory where files were encrypted, providing instructions to the user on how to pay the ransom.

Impact

The compromise of the Transmission application exposed an unknown number of macOS users to ransomware and backdoors. KeRanger’s ransomware capabilities could result in significant data loss and financial extortion. Keydnap’s credential-stealing functionality could compromise user accounts and sensitive data. Eleanor allows attackers to remotely administer the infected machine.

Recommendation

• Enable Gatekeeper and keep XProtect signatures up to date on macOS to prevent execution of unsigned or known malicious applications. (Reference: KeRanger disinfection instructions)
• Monitor for the creation of launch agents with suspicious names or associated binaries in /Library/LaunchAgents or ~/Library/LaunchAgents. Deploy the Sigma rule for suspicious launch agent creation.
• Monitor for network connections to Tor2Web proxies, especially from unusual processes. Block known Tor exit nodes at the firewall. (Reference: Keydnap description of Tor2Web usage)
• Deploy the provided Sigma rule to detect execution of binaries with a trailing space in their filename, a technique employed by Keydnap.