In China, a new Mac virus called ZuRu has been discovered. Victims get infected through malicious Baidu search engine results. The hackers spread it through the iTerm2 application, a free alternative app to the default Mac terminal.
On September 14, a security researcher found ZuRu for the first time. On the same day, another security researcher spotted it and documented it on a Chinese blog. Here are the key points about this malware:
- When searching for iTerm2 on Baidu, a cloned version of the original iTerm2 website appears.
- Users who download the counterfeit installer from the iTerm2 website receive a fully functional but fake copy of the app.
- Because it is digitally certified by an Apple developer, this malicious copy bypasses Gatekeeper and gets installed as usual.
- However, the fake software doesn’t have the additional security badge that Apple typically gives to notarized applications.
Along with the malicious iTerm2 application, one more add-on was discovered – a downloader that attempts to connect to an internet server before installing two more pieces of malware.
The malicious application seems to be a legitimate version of iTerm2 with a file that loads and runs the dangerous libcrypto[.]2[.]dylib dynamic library to carry out harmful operations.
- The primary objective is to connect to 18.104.22.168 and download a Python file termed g[.]py, and a Mach-O binary termed GoogleUpdate to the /tmp folder, then run both files.
- The GoogleUpdate binary is extensively encrypted and connects with a Cobalt Strike server (47.75.96[.]198:443), a beacon that would give the attacker full backdoor access.
- Furthermore, researchers found other trojanized applications using the identical libcrypto[.]2[.]dylib files – Microsoft Remote Desktop, SecureCRT, and Navicat Premium.
Both Apple and Baidu have taken steps to remove the malicious search results from their platforms. Although attackers will have no difficulty replicating these procedures in fresh attacks, users and security experts should be wary of such dangers.