Unknown attackers have hacked the website of the Transmission BitTorrent client, for the second time this year, and yet again, replaced the legitimate application with one that came laced with malware.
This time around, the BitTorrent client, which is very popular on Mac, but also comes with versions for Linux, distributed a DMG file that included the Keydnap trojan.
Website compromised over the weekend
ESET researchers, who discovered the tainted Transmission client, say the malware’s compilation date was Sunday, August 28.
The ESET team discovered the trojan on Monday, August 29. The team informed the Transmission developers, who removed the malicious DMG files from their downloads section within minutes.
Users that downloaded and installed the Transmission Mac client v2.92 between August 28 and August 29, should verify their system for the presence of the following folders and files:
/Applications/Transmission.app/Contents/Resources/License.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
/Library/Application Support/com.apple.iCloud.sync.daemon/
$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
If these files are present, then the user’s computer is infected with the Keydnap Mac OS X malware. This trojan is specialized in stealing the content of the Mac Keychain, where the user’s passwords are stored on a Mac computer.
Besides stealing passwords from the infected computer, Keydnap can also download and execute files from a remote URL, download and run Python scripts, run shell commands, and update itself with a new version.
Transmission website compromised before
Back at the start of March, researchers from Palo Alto Networks discovered that the Transmission website had been hacked and was spreading KeRanger, the first fully functional Mac ransomware.
Crooks had compromised the website and added a tainted Transmission Mac client (v2.90) instead of the legitimate file.
Following this latest incident, the Transmission team should consider hiring the services of a professional security vendor and audit their website and web server for vulnerabilities that keep allowing hackers to compromise their website.