Recently, a malicious campaign was observed spreading ZuRu malware in China via poisoned search engine results on the Baidu platform. The attackers used a clone of the genuine iTerm2 website that was being promoted when the word ‘iTerm2’ was searched on the search engine. Now, additional information regarding the malware has been published by Trend Micro.

Detailing the fake iTerm2 app

The site (iterm2[.]net), which was used to spread the malware, was active till September 15. Moreover, the malicious file was not hosted directly and instead contained a link that downloaded the iTerm[.]dmg file.
  • The genuine iTerm website has different URLs for different versions. However, the malicious campaign would redirect users to the same URL iTerm[.]dmg even if the user decided to download a different version. 
  • The fraudulent website downloaded a macOS disk image file (DMG) on the victim’s system that contained a malicious file. It would execute automatically whenever the victim runs the trojanized iTerm2 app.
  •  Furthermore, the malicious app contained several Mach-O files that were signed with an Apple Distribution certificate. The files in the valid iTerm2[.]app are signed with a Developer ID Application certificate.

More fake apps and sites found

  • Further analysis of the fake iTerm2 app’s Apple Distribution certificate led to the discovery of more trojanized apps on VirusTotal.
  • A scan for the SSL thumbprints used by iterm2[.]net on VirusTotal disclosed several fraudulent websites. All these sites were resolving at the same IP Address 43[.]129[.]218[.]115.


Cybercriminals often try to take advantage of popular software that is in high demand and used by a large number of people. They try to lure victims by offering fake copies of it for free. Users must understand the risk of downloading fake apps from third-party marketplaces or P2P networks. Moreover, always stay vigilant while downloading software online from untrusted sites.

Cyware Publisher