New ZuRu Malware Targets macOS Developers via Termius App

New ZuRu Malware Variant Targets macOS Developers via Trojanized Termius App

Cybersecurity researchers have identified a new variant of macOS malware known as ZuRu, which specifically targets developers and IT professionals by embedding malicious code in the legitimate Termius macOS application. This malware leverages a modified Khepri command-and-control (C2) framework, utilizing advanced infection mechanisms that highlight the evolving threat landscape for macOS users.

Image courtesy of The Hacker News

ZuRu Malware's Evolving Tactics

First identified in 2021, ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

The malware has evolved with significant changes in its infection vector. Earlier variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant modifies an embedded helper application within the legitimate Termius.app, which likely helps it evade existing detection mechanisms.

• Increased Size: The trojanized Termius.app is larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.
• Ad Hoc Code Signing: Attackers replace the original code signature with their own to bypass macOS code signing rules.

Inside the Trojanized Termius App

The compromised Termius app is delivered via a .dmg disk image containing a doctored version of Termius.app. This altered bundle includes two crucial executables:

• .localized: This serves as the primary malware loader, which, upon execution, downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.
• .Termius Helper1: This is a renamed version of the legitimate Termius Helper, ensuring the parent application operates as expected to avoid detection.

Persistence and Communication

To maintain a foothold on the compromised system, the malware establishes persistence through:

• LaunchDaemon: It requests elevated privileges from the user and writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons, ensuring the malware executes hourly.
• Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.
• Update Mechanism: The loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities such as file transfer, system reconnaissance, process execution, and command execution with output capture. It communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate traffic while reaching out to ctl01.termius[.]fun, which resolves to an Alibaba Cloud-hosted IP.

Indicators of Compromise (IOCs)

Organizations are advised to review the following indicators for detection:

• File Paths:
  • /Library/LaunchDaemons/com.apple.xssooxxagent.plist
  • /Users/Shared/com.apple.xssooxxagent
  • /private/tmp/Termius
  • /tmp/.fseventsd
  • /tmp/apple-local-ipc.sock.lock
• SHA-1 Hashes:
  • Khepri C2 Beacon
  • Trojan Mach-O
  • Trojan Disk Image
  • Malware Loader
• Network Communications:
  • http[:]//download.termius[.]info/bn.log.enc
  • ctl01.termius[.]fun

The latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. It showcases the need for robust endpoint protection to counteract evolving malware tactics.

For organizations looking to enhance their cybersecurity posture, consider tailored solutions from Gopher Security , which offers comprehensive protection against advanced threats. Explore how Gopher Security can safeguard your systems and ensure operational continuity.