Mac password-stealing malware haunts Transmission app… again

Thanks to Xinran Wu of SophosLabs for his behind-the-scenes work on this article.

To have the official distribution of your Mac software hacked to include malware once may be regarded as a misfortune; to have it happen twice looks like carelessness.

(With apologies to Oscar Wilde.)

The first time it happened to popular BitTorrent client Transmission was back in March 2016.

For a short while, the Mac version of Transmission 2.90 on the official download site was a not-so-official version that had some secret sauce of its own: OS X ransomware called OSX/KeRanger-A.

This time, for less than 24 hours on 28 August 2016 and 29 August 2016, a bogus version of Transmission 2.92 was uploaded that contained malware known as OSX/PWSSync-B.

Ironically, the main feature added when 2.92 was released, and the main reason you might have updated, was to a malware removal utility for KeRanger, in case you had a leftover infection from the hacked 2.90 version:

PWS, by the way, is short for password stealer, so you can guess the primary function of the malware; it is also known as “Keydnap”, a name that explains itself (say it out loud quickly).

The hack that was applied to the Transmission app this time is very similar to the previous attack.

The hacked Transmission program itself contains only a tiny change: a small snippet of code added at the start that loads a file called License.rtf that is packaged into the application bundle. (Last time, the sneaky extra file was General.rtf.)

Transmission’s hacked startup code loads License.rtf from the Resources subdirectory

The file License.rtf sounds innocent enough – what software doesn’t include a licensing document somewhere? – and opening it seems equally reasonable.

Except that this License isn’t what it seems.

It’s actually an OS X executable (program file) that:

  • Configures itself as an OS X LaunchAgent so that it runs automatically every time you reboot or logon.
  • Steals passwords and other credentials from your OS X Keychain, the Mac’s built-in password manager.
  • Calls home to download additional scripts to run.

As an aside, don’t forget that before ransomware grabbed the headlines, with its laser-like focus on scrambling your data quickly to provoke prompt payment, most malware included a zombie or bot component like the third item above.

So, don’t forget that even though the credential-grabbing part of OSX/PWSSync-B is bad enough on its own…

…malware that includes a “download new stuff and run it” function can, rather obviously, be updated at any time to commit any additional cybercrimes that its botmaster might decide upon.

The hacked package is digitally signed, so if you run it you won’t see an “unknown developer” warning, but the signature doesn’t identify the developer you’d expect for a legitimate Transmission file:

Authority=Developer ID Application: Shaderkin Igor (836QJ8VMCQ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Aug 28, 2016, 5:09:55 PM

Authority=Developer ID Application: Digital Ignition LLC
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=6 Mar 2016, 20:01:41

If you’re comfortable using a bash prompt, you can extract the details shown above, and more, from any Mac app by using the command codesign --details --verbose=4

Just for interest, here is the developer’s signature from the last time Transmission was hacked:

Authority=Developer ID Application: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Mar 4, 2016, 9:36:28 PM

What to do?

If you’re a Windows user, you may stop right here: for once, you have the minor luxury of a malware attack that doesn’t apply to you!

This vector of infection only applies if you:

  • Have a Mac running OS X.
  • Downloaded the Transmission 2.92 BitTorrent client on 28 or 29 August 2016.
  • Actually ran the booby-trapped Transmission app you downloaded.

If you think you may be at risk, or if you want to check your Mac anyway, just to make sure, you can use our 100% free Sophos Home product.

Sophos detects these malware components as OSX/PWSSync-B and OSX/PWSSync-E.