Malware

Weaponized Termius app spreads updated ZuRu macOS malware

Privacy concept: pixelated words Malware on digital background, 3d render

Malicious actors have utilized a trojanized version of the crossplatform SSH client and servermanagement tool Termius to deliver an updated iteration of the ZuRu macOS malware, according to The Hacker News.

Attacks with the latest ZuRu variant involved the use of a .dmg disk image with a breached Termius.app version integrated with a pair of additional executables allowing Khepri command-and-control beacon download and execution, a report from SentinelOne showed. Such a loader not only ensures persistence and tracks the presence of malware but also downloads a new version in the event of incongruence between the hash values, with researchers noting the mechanism to guarantee the spread of an uncorrupted payload. "The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor's continued use of certain TTPs from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods suggest these are offering continued success in environments lacking sufficient endpoint protection," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds