New Mac malware spreads via search results — what you need to know

MacBook
(Image credit: Shutterstock)

A new strain of Mac malware that spreads via "poisoned" search-engine results has been discovered in China and could spread to other countries.

To make sure you're not infected by this sort of thing, be very careful about what you download and scan every downloaded file with one of the best Mac antivirus programs. You should also get your software from the Mac App Store as often as possible, and be wary of other sources.

As detailed by Mac security researcher Patrick Wardle in a blog post earlier this week, the malware, which he calls ZuRu, was tweeted out by Chinese reseacher Zhi, aka ChiChou, aka @CodeColorist. Back in June, Zhi helped puzzle out why certain Wi-Fi network names were disabling iPhones

This time around, Zhi was publicizing a blog post by a Chinese user who had found that queries on the Chinese search engine Baidu for the Mac app iTerm2 returned a clone of the legitimate iTerm2 website. (iTerm2 is a free alternative to the default Mac terminal app.)

Mac users who downloaded the installer from the fake iTerm2 site received a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally "signed" by an Apple developer and wasn't flagged by any antivirus software as malicious. 

The fake app wasn't "notarized" with an extra security badge that Apple grants apps it has verified to be trustworthy. (The real iTerm2 app is notarized.) But even though a Mac will notify a user that an app hasn't been notarized, the user can still choose to install it.

There's a little something extra in the fake iTerm2 app — a "downloader" that itself reaches out to an online server and installs at least two more strains of malware. 

Spyware and a possible backdoor

One of the two new pieces of malware is an information-stealer that profiles the Mac it's running on, steals the user's Keychain database (containing passwords and other sensitive data), and packages all the data in a Zip file before sending it back to the same server from which the information-stealer is downloaded.

The other piece of malware masquerades as a Google Update application and is downloaded from a different server. Wardle wasn't able to completely dissect this piece of malware, so he's not quite sure what it does. 

But he discovered that the server where it resides has been flagged as hosting a pirated copy of Cobalt Strike, a legitimate penetration-testing tool that criminals have cracked and repurposed for illicit means. 

As Wardle noted, it's possible that this mysterious fake Google Update is actually a Cobalt Strike "beacon," a program that creates a hidden backdoor on a system for other Cobalt Strike users to find.

There's a bit of good news. Apple has revoked the developer certificate used to sign the fake iTerm2 installer, the fake iTerm2 site is now offline, Baidu has removed the poisoned results from its search engine and about a dozen of the best Mac antivirus programs now recognize the fake installer as malware.

But it wouldn't take much for the criminals behind this to replicate their methods with another website, another corrupted Mac app and another Mac developer license, which costs just $99. 

Update: Microsoft also spoofed by Mac malware

In an analysis of the iTerm2 Mac Trojan posted Sept. 30, Trend Micro researchers found that the malware campaign also offers corrupted macOS versions of Microsoft Remote Desktop, the SecureCRT terminal emulator and the Navicat database administration tool.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
MacBook Pro 2021 (16-inch) on a patio table
Macs under attack from dangerous malware targeting digital wallets and Apple’s Notes app — how to stay safe
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
MacBook Pro 2021 (16-inch) on a patio table
Millions of Mac owners urged to be on alert for info-stealing malware
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
MacBook Pro 2023
Macs under attack from North Korean malware stealing passwords and more — how to stay safe
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
Simone Ashley and Hero Fiennes Tiffin in "Picture This" now streaming on Prime Video
Prime Video top 10 has 3 must-watch movies — including a bubbly romcom starring 'Bridgerton's' Simone Ashley
(L-R) Josh Hartnett as Cooper and Ariel Donoghue as Riley in "Trap"
Netflix top 10 movies — here’s the 3 worth watching right now
iOS 19 logo on an iPhone
Apple WWDC 2025: iOS 19 and everything we know so far
Siri
Siri 2.0 features reportedly only working ‘two-thirds to 80% of the time’
Jack Draper in action at Indian Wells 2025
How to watch Indian Wells men’s and women’s finals: live stream tennis online
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 16 (#644)