{"id":94539,"date":"2021-09-24T11:31:16","date_gmt":"2021-09-24T18:31:16","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=94539"},"modified":"2021-10-05T08:05:07","modified_gmt":"2021-10-05T15:05:07","slug":"osx-zuru-mac-malware-spread-through-trojan-apps","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/osx-zuru-mac-malware-spread-through-trojan-apps\/","title":{"rendered":"OSX\/ZuRu Mac malware spread through Trojan apps"},"content":{"rendered":"

\"OSX\/ZuRu<\/p>\n

A new variety of Mac Trojan horse malware has been caught in the wild. And, surprisingly, the latest Trojan horses don’t claim to be Adobe Flash Player installers this time.<\/p>\n

Seekers of several macOS applications\u2014notably including iTerm2, a third-party Terminal app for Mac\u2014may have unintentionally downloaded an OSX\/ZuRu<\/strong> Trojan horse.<\/p>\n

Let’s examine this recent malware, how it spread, and how to eliminate an infection.<\/p>\n

How was OSX\/ZuRu discovered?<\/h3>\n

Pan Xiaopan discovered the first in-the-wild sample of OSX\/ZuRu while searching for the Mac app iTerm2 on the Chinese search engine Baidu.<\/p>\n

\"Baidu

Baidu poisoned search results for iTerm2 led to OSX\/ZuRu malware. (Screenshot: Pan Xiaopan<\/a>)<\/p><\/div>\n

Rather than the top result being the legitimate iTerm2, the first link actually led to a malware site designed to look virtually indistinguishable from the legitimate software’s homepage. This technique of introducing malicious results into search queries is known as search engine poisoning<\/strong>.<\/p>\n

Attempting to download iTerm2 from the lookalike site would instead download a disk image infected with an OSX\/ZuRu Trojan horse.<\/p>\n

The real iTerm2 site is hosted at iterm2.com, which appeared as the second result in the Baidu search. The malicious site that linked to the Trojan disk image used a very similar domain: iterm2[.]net<\/code>.<\/p>\n

Baidu has reportedly removed the fraudulent link from its search results.<\/p>\n

Researchers later found several other disk images infected with OSX\/ZuRu, disguised as other Mac software including Microsoft Remote Desktop, Navicat,<\/span>\u00a0<\/span>SecureCRT,<\/span>\u00a0<\/span>and also reportedly SnailSVN.<\/span><\/p>\n

What does OSX\/ZuRu do to an infected Mac?<\/h3>\n

If a user is tricked into running the Trojan horse, OSX\/ZuRu downloads and runs a Python script that collects various information from an infected Mac, including but not limited to:<\/p>\n

    \n
  • the user’s macOS Keychain database<\/span><\/li>\n
  • the user’s bash and zsh Terminal command history<\/li>\n
  • the user’s iTerm2 saved state<\/li>\n
  • the user’s ssh keys and known hosts<\/li>\n
  • the system’s \/etc\/hosts file<\/li>\n<\/ul>\n

    Many of these files could contain highly sensitive information such as passwords and private keys.<\/p>\n

    The malware then attempts to exfiltrate a zip archive of this data to the server from which the Python script was downloaded.<\/p>\n

    An outbound firewall, such as Intego NetBarrier X9<\/a>, can block malware from exfiltrating data from your Mac.<\/p>\n

    How can one remove or prevent OSX\/ZuRu and other threats?<\/h3>\n

    Given that Apple’s threat mitigation features such as notarization, Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple\u2019s own macOS protection methods are insufficient by themselves.<\/p>\n

    Related: Do Macs need antivirus software?<\/a><\/em><\/p>\n

    Do Macs need antivirus software?<\/a><\/p><\/blockquote>\n