OSX.Keydnap installs via a new twist on an old theme. The dropper (the program that installs the malware) comes in the form of a harmless document. It will download and open a decoy document of some kind, designed to match what the malware is pretending to be. It can receive a variety of instructions, much like any backdoor, with one interesting exception: it will attempt to capture passwords from the keychain, using the proof-of-concept Keychaindump.”]
Source: https://blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/