A new Mac malware dubbed ZuRu, has been detected spreading via poisoned search engine results in China via Baidu. The criminals masquerade as iTerm2, which is an alternative to the free default Mac terminal app.

ZuRu search for queries on Baidu for iTerm2 resulted in a cloned website of the genuine iTerm2 website. Users who downloaded the fake installer from the iTerm2 site received a working but a fake app. This malicious copy could bypass Gatekeeper and be installed normally because it was digitally signed by an Apple developer. The fake app wasn’t flagged with an extra security badge that Apple usually provides to the notarized apps.

Another add-on was found along with the fake iTerm2 app. This is a downloader that tries to connect to an online server and then install around two extra malware.

The malicious app seems to be a valid copy of iTerm2 that adds a file that loads and runs the malicious libcrypto[.]2[.]dylib dynamic library to perform malicious tasks.
The task is to connect to 47[.]75[.]123[.]111 to download a Python file named g[.]py and a Mach-O binary named GoogleUpdate at the /tmp folder location, then execute both files.

The GoogleUpdate binary is obfuscated and communicates with a Cobalt Strike server (47.75.96.198:443), a beacon that would allow full backdoor access to the attacker. The additional apps that were found to be trojanized using libcrypto[.]2[.]dylib file. These apps were SecureCRT, Navicat Premium, and Microsoft Remote Desktop.

Apple and Baidu have taken corrective actions to remove the malicious results from the search engine. Although it won’t take much time for attackers to replicate these steps in new campaigns. Users should stay caution regarding such threats.