This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor ^[1].

ID: S0276

ⓘ

Associated Software: OSX/Keydnap

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS

Version: 1.2

Created: 17 October 2018

Last Modified: 17 October 2021

Associated Software Descriptions

Name	Description
OSX/Keydnap	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.001	Abuse Elevation Control Mechanism: Setuid and Setgid	Keydnap adds the setuid flag to a binary so it can easily elevate in the future.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Keydnap uses HTTPS for command and control.^[2]
Enterprise	T1059	.006	Command and Scripting Interpreter: Python	Keydnap uses Python for scripting to execute additional commands.^[2]
Enterprise	T1543	.001	Create or Modify System Process: Launch Agent	Keydnap uses a Launch Agent to persist.^[2]
Enterprise	T1555	.002	Credentials from Password Stores: Securityd Memory	Keydnap uses the keychaindump project to read securityd memory.^[2]
Enterprise	T1564	.009	Hide Artifacts: Resource Forking	Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.^[1]
Enterprise	T1056	.002	Input Capture: GUI Input Capture	Keydnap prompts the users for credentials.^[2]
Enterprise	T1036	.006	Masquerading: Space after Filename	Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.^[2]
Enterprise	T1090	.003	Proxy: Multi-hop Proxy	Keydnap uses a copy of tor2web proxy for HTTPS communications.^[2]

References

Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.

Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.