New Mac malware spreads via search results — what you need to know

(Image credit: Shutterstock)

A new strain of Mac malware that spreads via "poisoned" search-engine results has been discovered in China and could spread to other countries.

To make sure you're not infected by this sort of thing, be very careful about what you download and scan every downloaded file with one of the best Mac antivirus programs. You should also get your software from the Mac App Store as often as possible, and be wary of other sources.

As detailed by Mac security researcher Patrick Wardle in a blog post earlier this week, the malware, which he calls ZuRu, was tweeted out by Chinese reseacher Zhi, aka ChiChou, aka @CodeColorist. Back in June, Zhi helped puzzle out why certain Wi-Fi network names were disabling iPhones

This time around, Zhi was publicizing a blog post by a Chinese user who had found that queries on the Chinese search engine Baidu for the Mac app iTerm2 returned a clone of the legitimate iTerm2 website. (iTerm2 is a free alternative to the default Mac terminal app.)

Mac users who downloaded the installer from the fake iTerm2 site received a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally "signed" by an Apple developer and wasn't flagged by any antivirus software as malicious. 

The fake app wasn't "notarized" with an extra security badge that Apple grants apps it has verified to be trustworthy. (The real iTerm2 app is notarized.) But even though a Mac will notify a user that an app hasn't been notarized, the user can still choose to install it.

There's a little something extra in the fake iTerm2 app — a "downloader" that itself reaches out to an online server and installs at least two more strains of malware. 

Spyware and a possible backdoor

One of the two new pieces of malware is an information-stealer that profiles the Mac it's running on, steals the user's Keychain database (containing passwords and other sensitive data), and packages all the data in a Zip file before sending it back to the same server from which the information-stealer is downloaded.

The other piece of malware masquerades as a Google Update application and is downloaded from a different server. Wardle wasn't able to completely dissect this piece of malware, so he's not quite sure what it does. 

But he discovered that the server where it resides has been flagged as hosting a pirated copy of Cobalt Strike, a legitimate penetration-testing tool that criminals have cracked and repurposed for illicit means. 

As Wardle noted, it's possible that this mysterious fake Google Update is actually a Cobalt Strike "beacon," a program that creates a hidden backdoor on a system for other Cobalt Strike users to find.

There's a bit of good news. Apple has revoked the developer certificate used to sign the fake iTerm2 installer, the fake iTerm2 site is now offline, Baidu has removed the poisoned results from its search engine and about a dozen of the best Mac antivirus programs now recognize the fake installer as malware.

But it wouldn't take much for the criminals behind this to replicate their methods with another website, another corrupted Mac app and another Mac developer license, which costs just $99. 

Update: Microsoft also spoofed by Mac malware

In an analysis of the iTerm2 Mac Trojan posted Sept. 30, Trend Micro researchers found that the malware campaign also offers corrupted macOS versions of Microsoft Remote Desktop, the SecureCRT terminal emulator and the Navicat database administration tool.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.