OSX/Keydnap Malware Found to Spread via ‘Transmission’ BitTorrent App

Back in March, users of BitTorrent client app ‘Transmission’ became the first reported victims of Mac ransomware. Now once again, the open-source BitTorrent app has become the target of a newly discovered OS X malware, as security researchers at We Live Security are reporting that it spreads through a recompiled version of Transmission client, which was distributed through the app’s official website.


Called OSX/Keydnap, the malware executes itself in a similar manner as the previous Transmission ransomware KeRanger i.e. by adding a malicious block of code to the main function of the app. The code responsible for dropping and running the malicious payload is surprisingly the same. 

Just like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. Although it is different from the legitimate Transmission certificate, it is still signed by Apple and bypasses Gatekeeper protection.

According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following file or directory:

  • /Applications/Transmission.app/Contents/Resources/License.rtf
  • /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
  • $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
  • /Library/Application Support/com.apple.iCloud.sync.daemon/
  • $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

If any of them exists, it means the malicious Transmission application was executed and that Keydnap is most likely running. To learn more, hit up the source link.