ZuRu – A new variety of Mac Trojan horse malware

A new Mac malware known as ZuRu has been discovered spreading in China via poisoned search engine results. Instead of leading to the authentic iTerm2, a free alternative to the default Mac terminal app, the link will redirect you to a malware site that was engineered to look almost identical to the original software’s homepage.

Iterm2.com is the genuine URL for the legitimate app, which came as the second result in the Baidu search. The attackers used iterm2[.]net as the URL for the malicious copy.

The malicious app comes with an additional file that loads and runs the malicious libcrypto[.]2[.]dylib dynamic library to carry out malicious actions. Since it was digitally signed by an Apple developer, this malicious copy was able to install normally bypassing the security.

Using this Trojan, an attacker can access

  • macOS Keychain database
  • bash and zsh Terminal command history
  • iTerm2 saved state
  • ssh keys and known hosts
  • the system’s /etc/hosts file

Although Apple and Baidu have removed the poisoned search results from their platforms, users should be vigilant about such threats in the future.