A newly discovered variant of the ZuRu malware is actively targeting developers and IT professionals by distributing a trojanized version of the popular Termius SSH client for macOS. This sophisticated campaign highlights the growing risks faced by macOS users, particularly those working in technical and development fields.
Infection Vector: Trojanized Termius App
The attack begins with the distribution of a malicious .dmg disk image masquerading as the legitimate Termius app. Unlike the official version, this compromised app bundle contains additional executables designed to facilitate unauthorized remote access and control.
Attackers have modified the original Termius app, embedding malicious binaries and replacing the authentic developer code signature with an ad hoc signature. This tactic allows the malware to bypass macOS’s code-signing protections and evade initial detection.
Technical Details and Capabilities
Within the altered app, researchers identified two suspicious executables in the Termius Helper.app directory:
.localized: Functions as a loader, connecting to a remote server (download.termius[.]info) to download and execute a Khepri command-and-control (C2) beacon..Termius Helper1: A renamed copy of the legitimate Termius Helper binary, ensuring the app continues to operate normally and avoids raising user suspicion.
The loader checks for existing infections and updates itself if a newer version is available, using MD5 hash comparisons to verify payload integrity. This mechanism allows attackers to maintain persistence and adapt their tactics over time.
The campaign leverages a modified version of the open-source Khepri post-exploitation toolkit, enabling attackers to establish robust remote control over compromised systems.
Evolution of the ZuRu Threat
ZuRu first appeared in 2021, initially spreading through poisoned search results for widely used macOS applications such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop. Victims were lured to convincing fake websites hosting trojanized installers that were nearly indistinguishable from the originals.
Earlier versions of ZuRu injected malicious dynamic libraries (.dylib) into the main application executable. The latest variant demonstrates increased sophistication, instead adding new executables and employing advanced loader and C2 techniques.
Risks and Mitigation Strategies
The primary risks associated with this campaign include:
- Unauthorized Remote Access: Attackers can gain full control of infected machines.
- Credential and Data Theft: Sensitive information, including SSH keys and project files, may be exfiltrated.
- Organizational Compromise: Infected developer systems can serve as entry points for broader attacks on company infrastructure.
Recommended Security Measures
- Always download software from official sources or trusted app stores.
- Verify application signatures and be cautious of unexpected code-signing warnings.
- Deploy endpoint protection solutions capable of detecting trojanized applications and suspicious network activity.
- Keep macOS and all security tools up to date to address known vulnerabilities.
