It seems that the developers of Transmission are the target of hackers, since it is not the first time through this software to download files some other malware sneaks into the Mac where it is installed. On this occasion, the malware was distributed through the downloads of this application between August 28 and 29. This installation package had Keydnap malware inside it. The previous version of this malware required users to click on a malicious file, which automatically opened the Terminal. Then the malware waited for the application to be executed and showed us a window asking for authentication.
But in this new version, this malware does not require a second application to run or the user to authenticate, simply installed jointly with Transmission. Since the application was signed by Apple, Gatekeeper allows the execution of this application without checking at any time if it has malware included or not.
Once installed and has had control over our Mac, this new Keydnap malware update can used to access the keychain where we store all passwords associated with web pages, logically including those for accessing our bank accounts. But it does not limit itself to having access, it quickly downloads the file on the servers that have developed this malware.
The signature found in the Transmission installer package logically It is not the one belonging to legitimate developers, Apple has been informed to revoke access to this firm since it is not the one that belongs to the developers. The developers have quickly proceeded to remove the infected copy from their servers as soon as they have been notified of this problem.
It seems that the security of the company's servers always have the door open, because this is the second time that hackers have sneaked into them and changed the original download file for a copy with malware included. Previously, the malware that sneaked into the installation package was KeRanger. Despite the investigations they carry out each time, hackers enter again and again. It seems that they are going to have to dedicate themselves to something else or choose to change servers. At the moment the new copy is already stored on the Github servers.
How to remove Keynap from our Mac infected by Transmission
ESET Research recommends that all users who have downloaded and installed iTransmission between the 28th and 29th find and delete any of these files or directories on your Macs:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $ HOME / Library / Application Support / com.apple.iCloud.sync.daemon / icloudsyncd
- $ HOME / Library / Application Support / com.apple.iCloud.sync.daemon / process.id
- $ HOME / Library / LaunchAgents / com.apple.iCloud.sync.daemon.plist
- / Library / Application Support / com.apple.iCloud.sync.daemon /
- $ HOME / Library / LaunchAgents / com.geticloud.icloud.photo.plist
Next we must go to the Activity Monitor and paralyze any process related to the following files:
- icloudproc
- license.rtf
- icloudsyncd
- / usr / libexec / icloudsyncd -launchd netlogon.bundle
Now, uninstall the application from our system and download Transmission again from the Github servers, where they have hosted it because it offers greater security than their own servers.
