OSX.ZuRu

Short bio

OSX.ZuRu is Malwarebytes' detection name for a Trojan dropper that targets MacOS systems.

Type and source of the infection

OSX.ZuRu is a Trojan dropper which at the moment downloads and executes two files which are suspected to set up a Cobalt Strike beacon. The malware is spread posing as the legitimate app iTerm2.

Symptoms

The disk image file for the trojanized iTerm2 includes a link to the Applications folder with a Chinese name.

disk image file

Protection

Malwarebytes for Mac detects and removes OSX.ZuRu.

Remediation

Malwarebytes for Mac will detect and remove the components of this malware.

Download and install the latest version of Malwarebytes for Mac.

Click the “Scan Now” button to perform a system scan.

If threats are detected during the scan, a count of detected threats is displayed. More detailed threat information is displayed after the scan completes.

Click “Confirm” to move the detected threats to Quarantaine.

If a restart is required to complete remediation of threats detected during a scan, you will be notified. When a restart is required, please remember to save all work before clicking “Restart”.

IOC's

File:
iTerm.app/Contents/Frameworks/libcrypto.2.dylib
IPs:
47.75.123.111
47.75.96.198(:443)
Domain:
iTerm2.net

Related blog content

New Mac malware masquerades as iTerm2, Remote Desktop and other apps

Cobalt Strike, a penetration testing tool abused by criminals

Select your language

New Buy Online Partner Icon Warning Icon Edge icon