A new type of Mac malware that spreads via "poisoned" search engine results has been discovered in China and may spread to other countries.
To avoid becoming infected with this kind of thing, be very careful about what files you download and scan all downloaded files with the best Mac anti-virus programs. Also, obtain software from the Mac App Store whenever possible, and be wary of other sources.
As Mac security researcher Patrick Wardle detailed in a blog post earlier this week, the malware, which he calls ZuRu, was tweeted by Chinese researcher Zhi, aka ChiChou, aka @CodeColorist. In June, Zhi tweeted that a particular Wi-Fi Wi-Fi network names to disable iPhones.
This time Zhi published a blog post by a Chinese user who discovered that a search for the Mac app iTerm2 on the Chinese search engine Baidu returned a clone of the legitimate iTerm2 website. (iTerm2 is a free alternative to the Mac's default Terminal app.)
Mac users who downloaded the installer from the fake iTerm2 site passed Gatekeeper's checks and was digitally "signed" by Apple developers to received a copy of the app that installed without issue because it was not flagged as malicious by any antivirus software.
The fake app was not "notarized" with a special security badge that Apple grants to apps it verifies as trustworthy. (The real iTerm2 app is notarized.) However, even though Mac notified users that the app was not notarized, users could still install it.
The fake iTerm2 app has a little something extra: a "downloader" that itself connects to an online server and installs at least two pieces of malware.
One of the two new malware is Information Stealer, which profiles a running Mac, steals the user's Keychain database (including passwords and other sensitive data), packages all the data into a Zip file, and then downloads the Information Stealer sends it back to the same server where it was downloaded.
Another piece of malware poses as the Google Update application and is downloaded from a different server; Wardle was unable to fully disassemble this malware, so he is not sure what it does.
However, he did discover that the server where this malware resides is flagged as hosting a pirated version of Cobalt Strike, a legitimate penetration testing tool that criminals are cracking and reusing for illicit purposes.
As Wardle pointed out, this mysterious fake Google update may actually be a "beacon" for Cobalt Strike.
Some slightly better news: Apple has revoked the developer certificate used to sign the fake iTerm2 installer, the fake iTerm2 site is now offline, Baidu has removed the poisoned results from its search engine, and about a dozen best Mac anti-virus programs now recognize the fake installer as malware.
But it won't take long for the criminals behind this to replicate their methods using another website, another corrupted Mac app, and a Mac developer license for just $99.
In an analysis of the iTerm2 Mac Trojan posted on September 30,
Trend Micro researchers found that the malware campaign was based on the Microsoft Remote Desktop, SecureCRT terminal emulator, and Navicat They found that it also offered corrupted macOS versions of database management tools.
Comments