A new variant of the macOS.ZuRu malware has emerged, specifically targeting developers and IT professionals by trojanizing the legitimate Termius macOS application. This sophisticated backdoor leverages a modified Khepri command-and-control (C2) framework, employing new techniques for application compromise and persistence, highlighting an evolving threat landscape for macOS users.

ZuRu Malware's Evolving Tactics

First identified in 2021, macOS.ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

• Shift in Trojanization: Earlier ZuRu variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant, however, modifies an embedded helper application within the legitimate Termius.app, likely to evade existing detection mechanisms.

• Increased Size: The trojanized Termius.app is notably larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.

• Ad Hoc Code Signing: To bypass macOS code signing rules, the attackers replace the developer's original code signature with their own ad hoc signature.

Inside the Trojanized Termius App

The malicious disk image contains a doctored version of Termius.app. Within the bundle, two key executables are added:

• .localized: This is the primary malware loader. Upon execution, it downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.

• .Termius Helper1: This is a renamed and replaced version of the legitimate Termius Helper binary, ensuring the parent application functions as expected to avoid suspicion.

Persistence and Communication

To maintain a foothold on the compromised system, the binary establishes persistence:

• LaunchDaemon: It requests elevated privileges from the user and, if granted, writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons/. This ensures the malware executes hourly.

• Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.

• Update Mechanism: The .localized loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities including:

• File transfer

• System reconnaissance

• Process execution and control

• Command execution with output capture

Key characteristics of the modified Khepri C2:

• Operating System Requirement: Requires macOS Sonoma 14.1 or later, indicating a focus on more recent macOS versions.

• Heartbeat Interval: Sets a faster heartbeat interval of 5 seconds (compared to the open-source default of 10 seconds).

• C2 Communication: Uses port 53 (commonly used for DNS) and communicates with ctl01.termius[.]fun, resolving to 47[.]238.28[.]21. This pattern aligns with previous ZuRu C2 infrastructure.

Indicators of Compromise

Organizations are advised to review the following indicators for detection:

• File Paths:/Library/LaunchDaemons/com.apple.xssooxxagent.plist/Users/Shared/com.apple.xssooxxagent/private/tmp/Termius/tmp/.fseventsd/tmp/apple-local-ipc.sock.lock

• SHA-1 Hashes:

• Network Communications:http[:]//download.termius[.]info/bn.log.enchttp[:]//download.termius[.]info/bn.log.md5ctl01.termius[.]fun47[.]238.28[.]21

This latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. The malware authors' continuous adaptation of techniques, while retaining certain consistent patterns, highlights the need for robust endpoint protection and vigilance against trojanized applications. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Modified Khepri C2 Hides Inside Doctored Termius App, SentinelOne.

• New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App, The Hacker News.