While most cybercriminals continue to heavily attack Windows machines, there are more daring groups that target more exotic targets, such as macOS systems. ZuRu is one of the last identified malicious programs exclusively targeting Macs. Its creators appear to rely on the list of sponsored search results to try to redirect users to a malicious page. The crooks are actually spoofing the name of a legitimate macOS tool called iTerm2.
Currently, the criminals seem to target only the Chinese search engine Baidu. However, it would not be a surprise if they tried to expand their operation in the near future. Once a user tries to download iTerm from the fake website, they will be referred to a third party hosting service, which will get the iTerm.dmg file. So far, everything looks normal on the user’s screen; the only red flag is the slightly different domain name. However, most people would not realize this.
What can ZuRu do if it infects you
If a user is tricked into running the Trojan horse, ZuRu downloads and runs a Python script that collects various information from an infected Mac, including:
▸User’s macOS keychain database
▸Bash and zsh user terminal command history
▸The user’s iTerm2 stored state
▸User ssh keys and known hosts
▸System, hosts and etc files
Clearly, cybercriminals are experimenting with all sorts of nasty tricks to reach their victims. The ZuRu campaign, in particular, is very intriguing this way. The best way to keep your system and data safe is to use antivirus software and be very careful when browsing the Internet.