Cybercriminals embedded malicious code and remote-control tools in software used for server management and secure connections.
A new variant of macOS malware known as ZuRu is targeting Apple users by embedding malicious code and a hacking tool into popular utilities used for remote connections and server management, cybersecurity researchers have warned.
First discovered in 2021, ZuRu has evolved over time and can now infect more apps and in new ways, cybersecurity firm SentinelOne said in a July 10 alert. Notably, the latest strain only works on Macs running the Sonoma 14.1 operating system, which Apple launched in October 2023, or Sequoia, its latest operating system.
Earlier versions of ZuRu were found hidden inside both pirated and legitimate copies of popular tools used by developers and IT professionals such as SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. Most recently, the malware was found in a trojanized version of Termius, an app used for managing remote servers and secure network connections.
“This recent sample uses a new method to trojanize legitimate applications,” wrote Phil Stokes and Dinesh Devadoss, cybersecurity researchers at SentinelOne. They noted that the Trojanized version of Termius has had malicious code added to it, along with a helper program called a command-and-control (C2) implant, which allows attackers to remotely control infected Macs.
This particular C2 implant is based on Khepri, an open-source hacking tool designed to let attackers run commands and gather information from a compromised system, the researchers said. Once installed, the implant gives hackers powerful capabilities, including transferring files to or from the victim’s computer, running or controlling programs on the infected Mac, and executing commands and capturing whatever results or data those commands produce.
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the researchers noted. They added that attackers appear to have shifted from earlier, simpler methods to embedding malware in helper applications, likely in an effort to bypass modern security detection measures.
By Tom Ozimek
