Chinese cybersecurity researcher has discovered a new strain of malware that spreads via "poisoned" search-engine results. The malware dubbed ‘OSX.ZuRu’ poses as the legitimate macOS tool called iTerm2. Currently, the attackers are only targeting the Chinese Baidu search engine but it would not be a surprise if they attempt to expand their operation in the near future. Attackers are distributing iTerm2 malware through sites that mimic the original iTerm2 website. Mac users who attempt to install iTerm from the fake website are directed to a 3rd-party hosting service, which fetches the file iTerm.dmg. So far, on the user's screen everything seems normal – the only noticeable red flag is the slightly different domain name. However, most people would not notice this.Once a user implements and installs the suspicious iTerm.dmg app, they end up receiving a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally "signed" by an Apple developer and wasn't flagged by any antivirus software as malicious. The main purpose of this malware is to establish a connection with a remote web application and send some data regarding the victim. The primary piece of information it sends is the serial number of the device. After this, it tries to establish a second connection to a malicious Web server. The latter is the dangerous part – it can deliver a long list of payloads. These hidden downloads often bear the names of legitimate apps and services – e.g., Google Update. One of the payloads appears to be a script that exfiltrates certain data from the infected system – keychain, hosts file, bash histo ..
Support the originator by clicking the read the rest link below.
