ZuRu Malware Exploits Baidu Search Results
Reading Time: 2 minutes

ZuRu Malware exploits Baidu search results in China by posing as iTerm2, an alternative to the free default Mac terminal app.

Researchers from Objective-See discovered the Zuru Malware earlier on September 14, before it was discovered by another security researcher the same day.

What ZuRu Malware Does?

As a result of Zuru Malware, search queries on Baidu for iTerm2 resulted in a cloned website of the genuine iTerm2 website. Users who downloaded the fake installer via iTerm2 ended up downloading a working fake copy of the app. This resulted in the malicious app being able to bypass Gatekeeper and being installed as a normal application since it was digitally signed by an Apple developer. The malicious app was not flagged and managed to dodge the extra security badge Apple usually provides to the notarized apps.

Researchers also discovered yet another add-on along with the fake iTerm2 app. The downloader connects with an online server and is installed with two extra malware. Another add-on was found along with the fake iTerm2 app. This is a downloader that tries to connect to an online server and then install around two extra malware.

Technical Insights

  1. The malicious app is identical to the valid copy of iTerm2, to perform a malicious task, it adds a file that runs the malicious libcrypto[.]2[.]dylib dynamic library.
  2. It downloads a Python file, named g[.]py and a Mach-O binary named GoogleUpdate at the /tmp folder location, to connect to 47[.]75[.]123[.]111 and execute both files.
  3. It is able to confuse the GoogleUpdate binary and communicate with a Cobalt Strike server (47.75.96[.]198:443), a beacon that would allow full backdoor access to the attacker.
  4. While the additional apps present are trojanized using the same libcrypto[.]2[.]dylib file. Some of the apps compromised were SecureCRT, Navicat Premium, and Microsoft Remote Desktop.

Corrective measures have been taken by Apple and Baidu, to remove the malicious results from the search engine. Though the attackers can easily launch another attack by replicating the procedure again. Users and researchers alike need to stay vigilant about this threat.

Related Articles:

Frustrated Developer Drops 3 Zero-Day Vulnerabilities Affecting Apple iOS 15 
Apple’s New iCloud Private Relay Service Leaks User’s Real IP Addresses
Google Warns Users How Hackers Can Make Malware Undetectable on Windows