OSX.ZuRu

A potentially massive attack campaign is delivering malware threats to Chinese macOS users via sponsored search links. The first to discover the threatening operations is the infosec researcher Zhi, who goes as @CodeColorist on Twitter. The attack involves a previously unknown malware named OSX.ZuRu acting as an initial-stage payload that drops the final threats on compromised systems. 

For the operation, the threat actors created a clone of the legitimate iTerm2.com website and placed it under the iTerm2.net address. Chinese users who would carry a search for 'iTerm2' would be shown a sponsored link leading to the fake site. Without noticing that anything is out of the ordinary, users would just click on the 'Download' button and get a weaponized disk image named 'iTerm.' Hidden among the numerous files contained in the disk image is the corrupted libcrypto.2.dylib file, which carries the OSX.ZuRu malware. 

The main functionality of OSX.ZuRu is to fetch next-stage payloads from the Command-and-Control (C&C, C2) server of the campaign. The threat has been observed to download and then execute a python script named 'g.py' and a compromised item named 'GoogleUpdate.' The python script is an info stealer that runs a comprehensive scan of the system and collects numerous system details that are then packaged and transmitted. As for 'GoogleUpdate,' certain evidence suggests that it may be a Cobal Strike beacon.

OSX.ZuRu can obtain certain information about the system it is present on as well. It archives this task via embedded code strings. The threat can obtain both a user name and a project name.