A new strain of Mac malware that spreads via "poisoned" search-engine results has been discovered in China and could spread to other countries.
To make sure you're not infected by this sort of thing, be very careful about what you download and scan every downloaded file with one of the best Mac antivirus programs. You should also get your software from the Mac App Store as often as possible, and be wary of other sources.
- Apple emergency update for iPhones, Macs and Apple Watches — what to do
- The best Mac antivirus software
- Plus: iPhone 13 release date, price, specs and latest news
As detailed by Mac security researcher Patrick Wardle (opens in new tab) in a blog post earlier this week, the malware, which he calls ZuRu, was tweeted out by Chinese reseacher Zhi, aka ChiChou, aka @CodeColorist (opens in new tab). Back in June, Zhi helped puzzle out why certain Wi-Fi network names were disabling iPhones.
This time around, Zhi was publicizing a blog post by a Chinese user (opens in new tab) who had found that queries on the Chinese search engine Baidu for the Mac app iTerm2 returned a clone of the legitimate iTerm2 website. (iTerm2 is a free alternative to the default Mac terminal app.)
Sponsored links in search engine spread fake iTerm2 malware (in Chinese) https://t.co/8yUrE2kog6 pic.twitter.com/WPU8YSURgZSeptember 15, 2021
Mac users who downloaded the installer from the fake iTerm2 site received a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally "signed" by an Apple developer and wasn't flagged by any antivirus software as malicious.
The fake app wasn't "notarized" with an extra security badge that Apple grants apps it has verified to be trustworthy. (The real iTerm2 app is notarized.) But even though a Mac will notify a user that an app hasn't been notarized, the user can still choose to install it.
There's a little something extra in the fake iTerm2 app — a "downloader" that itself reaches out to an online server and installs at least two more strains of malware.
Spyware and a possible backdoor
One of the two new pieces of malware is an information-stealer that profiles the Mac it's running on, steals the user's Keychain database (containing passwords and other sensitive data), and packages all the data in a Zip file before sending it back to the same server from which the information-stealer is downloaded.
The other piece of malware masquerades as a Google Update application and is downloaded from a different server. Wardle wasn't able to completely dissect this piece of malware, so he's not quite sure what it does.
But he discovered that the server where it resides has been flagged as hosting a pirated copy of Cobalt Strike, a legitimate penetration-testing tool that criminals have cracked and repurposed for illicit means.
As Wardle noted, it's possible that this mysterious fake Google Update is actually a Cobalt Strike "beacon," a program that creates a hidden backdoor on a system for other Cobalt Strike users to find.
There's a bit of good news. Apple has revoked the developer certificate used to sign the fake iTerm2 installer, the fake iTerm2 site is now offline, Baidu has removed the poisoned results from its search engine and about a dozen of the best Mac antivirus programs now recognize the fake installer as malware.
But it wouldn't take much for the criminals behind this to replicate their methods with another website, another corrupted Mac app and another Mac developer license, which costs just $99.
Update: Microsoft also spoofed by Mac malware
In an analysis of the iTerm2 Mac Trojan (opens in new tab) posted Sept. 30, Trend Micro researchers found that the malware campaign also offers corrupted macOS versions of Microsoft Remote Desktop, the SecureCRT terminal emulator and the Navicat database administration tool.
- Read more: what we know about the Mac Mini 2021