New Mac malware spreads via search results — what you need to know

1. Home
2. News
3. Security

New Mac malware spreads via search results — what y'all need to know

(Image credit: Shutterstock)

A new strain of Mac malware that spreads via "poisoned" search-engine results has been discovered in China and could spread to other countries.

To make certain you're not infected by this sort of affair, be very careful about what you download and browse every downloaded file with one of the best Mac antivirus programs. You lot should also get your software from the Mac App Store as often as possible, and be wary of other sources.

• Apple tree emergency update for iPhones, Macs and Apple Watches — what to do
• The best Mac antivirus software
• Plus: iPhone 13 release appointment, price, specs and latest news

As detailed by Mac security researcher Patrick Wardle in a blog post earlier this week, the malware, which he calls ZuRu, was tweeted out by Chinese reseacher Zhi, aka ChiChou, aka @CodeColorist. Dorsum in June, Zhi helped puzzle out why certain Wi-Fi network names were disabling iPhones.

This fourth dimension around, Zhi was publicizing a blog post by a Chinese user who had found that queries on the Chinese search engine Baidu for the Mac app iTerm2 returned a clone of the legitimate iTerm2 website. (iTerm2 is a free alternative to the default Mac terminal app.)

Sponsored links in search engine spread false iTerm2 malware (in Chinese) https://t.co/8yUrE2kog6 picture show.twitter.com/WPU8YSURgZSeptember 15, 2021

Run into more than

Mac users who downloaded the installer from the fake iTerm2 site received a working copy of the app, which passed the Gatekeeper check and installed just fine because information technology was digitally "signed" past an Apple developer and wasn't flagged past any antivirus software as malicious.

The fake app wasn't "notarized" with an extra security badge that Apple grants apps it has verified to be trustworthy. (The real iTerm2 app is notarized.) But even though a Mac will notify a user that an app hasn't been notarized, the user tin still choose to install it.

At that place's a little something actress in the fake iTerm2 app — a "downloader" that itself reaches out to an online server and installs at least two more strains of malware.

Spyware and a possible backdoor

One of the 2 new pieces of malware is an information-stealer that profiles the Mac it's running on, steals the user's Keychain database (containing passwords and other sensitive data), and packages all the data in a Zippo file earlier sending it back to the same server from which the information-stealer is downloaded.

The other piece of malware masquerades equally a Google Update application and is downloaded from a dissimilar server. Wardle wasn't able to completely dissect this piece of malware, so he'southward not quite sure what it does.

Just he discovered that the server where it resides has been flagged as hosting a pirated copy of Cobalt Strike, a legitimate penetration-testing tool that criminals accept cracked and repurposed for illicit means.

As Wardle noted, it's possible that this mysterious fake Google Update is actually a Cobalt Strike "buoy," a plan that creates a hidden backdoor on a system for other Cobalt Strike users to find.

In that location's a bit of good news. Apple has revoked the developer certificate used to sign the fake iTerm2 installer, the fake iTerm2 site is now offline, Baidu has removed the poisoned results from its search engine and about a dozen of the best Mac antivirus programs at present recognize the fake installer as malware.

But information technology wouldn't take much for the criminals behind this to replicate their methods with another website, some other corrupted Mac app and another Mac programmer license, which costs but $99.

Update: Microsoft also spoofed past Mac malware

In an analysis of the iTerm2 Mac Trojan posted Sept. xxx, Trend Micro researchers found that the malware entrada also offers corrupted macOS versions of Microsoft Remote Desktop, the SecureCRT terminal emulator and the Navicat database administration tool.

• Read more: what we know most the Mac Mini 2021

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-booty driver, lawmaking monkey and video editor. He's been rooting around in the data-security space for more fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random TV news spots and even moderated a panel discussion at the CEDIA dwelling house-engineering science conference. You lot tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/mac-malware-fake-iterm2

Posted by: buckleyproategainal.blogspot.com

Share this post