Mac password-stealing malware haunts Transmission app… again

To have the respectable distribution of your Mac software hacked to built-inconsist of malware as soon as can be appeared as a misfortune; to have it appears two times seems like carelessness.

(With apologies to Oscar Wilde.)

The primary time it took place to popular BitTorrent patron Transmission built-inintegrated back built-in March 2016.

For a brief at the same time as, the Mac model of Transmission 2.ninety on the reliable down load site was a now not-so-authentic model that had some secret sauce of its very own: OS X ransomware known as OSX/KeRanger-A.

This time, for less than 24 hours on 28 August 2016 and 29 August 2016, a bogus model of Transmission 2.nbuiltintegrated built-into uploaded that contabuilt-ined malware known as OSX/PWSSync-B.

 

Related Articles :

Mockbuiltintegrated, built-incipleintegrated function brought whilst 2.92 became released, and built-inthe mabuiltintegrated purpose you may have updated, changed builtintegrated to a malware elimbuiltintegrated software for KeRanger, built-in had a leftover built-infection from the hacked 2.90 version:
PWS, by usbuiltintegrated the way, is brief for password stealer, so that you can guess the number one function of the malware; it is also referred to as “Keydnap”, a call that explaintegrateds itself (say it out loud quickly).

The hack that built-inintegrated applied to the Transmission app this time is very much like the previous assault.

The hacked Transmission software itself built-inintegrated only a tintegratedy exchange: a small snippet of code added on the built-in that loads a report called License.Rtf that is packaged integratedto the software package. (built-inintegrated time, the sneaky extra document became Fashionable.Rtf.)

The report Licenses.Rtf sounds harmlessintegrated enough – what software program doesn’t built-include a licensbuilt-ing file somewhere? – and built-inintegrated it appears equally affordable.
Except that this License isn’t what it appears.

It’s built-inely an OS X executable (application document) that:

Configures itself as an OS X LaunchAgent builtintegrated it runs routbuiltintegrated on every occasion you reboot or logon.
Steals passwords and other credentials out of your OS X Keychaintegrated, the Mac’s password manager.
Calls home to down load extra scripts to run.
As an aside, don’t forget that before ransomware grabbed the headlintegratedes, with its laser-like awareness on scramblbuilt-ing your builtintegrated fast to builtintegrated prompt fee, maximum malware integrated a zombie or bot thbuiltintegrated like the 0.33 object above.

So, don’t overlook that despite the fact that the credential-grabbintegratedg part of OSX/PWSSync-B is horrific sufficient on its very own…

malware that consists ofintegrated a “down load new stuff and run it” feature can, as an alternative built-in, be up to date at any time to dedicate any extra cybercrimes that its botmaster would possibly built-in upon.

The hacked Transmission. App bundle is digitally signed, so if you run it you received’t see an “unknown developer” built-in, however the signature doesn’t perceive the developer you’d assume for a valid Transmission report:
What to do?

builtintegrated’re a Home wbuiltintegrated consumer, you may stop right here: for as soon as, you’ve got the mbuilt-inor luxury of a malware attack that doesn’t follow to you!

This vector of built-inbuiltintegrated best applies if you:

Have a Mac built-ing OS X.
Downloaded the Transmission 2.built-in BitTorrent consumer on 28 or 29 August 2016.
built-inbuilt-inly ran the booby-trapped Transmission app you downloaded.
builtintegrated assume you may be at danger, or builtintegrated need to test your Mac anyway, just to ensure, you may use our 100% unfastened Sophos domestic product.

Sophos detects those malware components as OSX/PWSSync-B and OSX/PWSSync-E.