Chinese cybersecurity researcher has discovered a new strain of malware that spreads via “poisoned” search-engine results. The malware dubbed ‘OSX.ZuRu’ poses as the legitimate macOS tool called iTerm2. Currently, the attackers are only targeting the Chinese Baidu search engine but it would not be a surprise if they attempt to expand their operation in the near future.
Attackers are distributing iTerm2 malware through sites that mimic the original iTerm2 website. Mac users who attempt to install iTerm from the fake website are directed to a 3rd-party hosting service, which fetches the file iTerm.dmg. So far, on the user’s screen everything seems normal – the only noticeable red flag is the slightly different domain name. However, most people would not notice this.
Once a user implements and installs the suspicious iTerm.dmg app, they end up receiving a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally “signed” by an Apple developer and wasn’t flagged by any antivirus software as malicious.
The main purpose of this malware is to establish a connection with a remote web application and send some data regarding the victim. The primary piece of information it sends is the serial number of the device. After this, it tries to establish a second connection to a malicious Web server. The latter is the dangerous part – it can deliver a long list of payloads. These hidden downloads often bear the names of legitimate apps and services – e.g., Google Update.
One of the payloads appears to be a script that exfiltrates certain data from the infected system – keychain, hosts file, bash history, folder names, etc. The other one appears to be a copy of the Cobalt Strike Beacon. This is a security penetration methodology that attackers sometimes use.
How to eliminate malware infections?
Security experts always recommend downloading apps from official and verified sources. Additionally, all programs must be activated and updated with functions provided by legitimate developers. Suspicious emails must not be opened, especially any attachments or links found in them.
It is paramount to have a reliable anti-virus installed and kept updated. The anti-virus should be used to perform regular system scans and mitigate threats. If you suspect your device is already infected with malware, then it’s necessary to run a scan with Combo Cleaner Antivirus for macOS to automatically eliminate it.