A larger malware campaign seems to be targeting Mac developers: Common tools such as the terminal emulations iTerm 2 and SecureCRT, NaviCat 15, SnailSVN and the macOS version of Microsoft’s remote desktop client are reported as replicated versions with “poisoned installers” and as ” infected disk images “, security researchers warn.
The target at the moment is apparently primarily Chinese developers: A fake version of the macOS terminal emulator iTerm2 was temporarily delivered as the first hit on the search engine Baidu in the form of a sponsored link. The URL apparently led to a replica of the original website, which in turn offered the manipulated version of iTerm for download.
The clone is largely “benign” and shows a “legitimate iTerm shell” to lull users into security, explains security researcher Patrick Wardle, who analyzed the app – and provides a sample of the malware called “OSX.ZuRu” for testing. Anti-virus engines did not yet act on the samples during its analysis.
Malware extracts important files
The malware hidden in the app contacts several servers and reloads software. According to the analysis, he tries, among other things, with the help of a Python script to inspect the infected Mac comprehensively. To this end, as much data as possible is collected and extracted, including the user’s keychain with all the access data stored there, the bash history, hosts and more, writes Wardle.
The search engine Baidu has since removed the sponsored links. Apple has also withdrawn the developer certificate with which the fake version of iTerm2 was signed. Wardle notes that the malware was not notarized. It remains unclear whether the other fake Mac tools mentioned were also signed. Security researcher Zhi notes that it is a massive supply chain attack on macOS users.