A new Mac malware, named ZuRu, has been detected spreading via poisoned search engine results in China via Baidu. The criminals masquerade as iTerm2, which is an alternative to the free default Mac terminal app.
What's the threat?
ZuRu was first discovered by a security researcher on September 14. It was also discovered by another security researcher on Twitter the same day and detailed in a Chinese blog.
The search queries on Baidu for iTerm2 resulted in a cloned website of the genuine iTerm2 website.
Users who downloaded the fake installer from the iTerm2 site received a working but a fake copy of the app.
This malicious copy could bypass Gatekeeper and be installed normally because it was digitally signed by an Apple developer.
The fake app wasn't flagged with an extra security badge that Apple usually provides to the notarized apps.
Another add-on was found along with the fake iTerm2 app. This is a downloader that tries to connect to an online server and then install around two extra malware.
The malicious app seems to be a valid copy of iTerm2 that adds a file that loads and runs the malicious libcrypto[.]2[.]dylib dynamic library to perform malicious tasks.
The main task is to connect to 47[.]75[.]123[.]111 to download a Python file named g[.]py and a Mach-O binary named GoogleUpdate at the /tmp folder location, then execute both files.
The GoogleUpdate binary is heavily obfuscated and communicates with a Cobalt Strike server (47.75.96[.]198:443), a beacon that would allow full backdoor access to the attacker.
Moreover, the additional apps that were found to be trojanized using the same libcrypto[.]2[.]dylib file. These apps were SecureCRT, Navicat Premium, and Microsoft Remote Desktop.
Apple and Baidu have taken corrective actions to remove the malicious results from the search engine. Although it won’t take much time for attackers to replicate these steps in new campaigns. Users and security professionals should stay cautious regarding such threats.