Malicious actors have utilized a trojanized version of the crossplatform SSH client and servermanagement tool Termius to deliver an updated iteration of the ZuRu macOS malware, according to The Hacker News.
Attacks with the latest ZuRu variant involved the use of a .dmg disk image with a breached Termius.app version integrated with a pair of additional executables allowing Khepri command-and-control beacon download and execution, a report from SentinelOne showed. Such a loader not only ensures persistence and tracks the presence of malware but also downloads a new version in the event of incongruence between the hash values, with researchers noting the mechanism to guarantee the spread of an uncorrupted payload. "The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor's continued use of certain TTPs from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods suggest these are offering continued success in environments lacking sufficient endpoint protection," said researchers.
Attacks with the latest ZuRu variant involved the use of a .dmg disk image with a breached Termius.app version integrated with a pair of additional executables allowing Khepri command-and-control beacon download and execution, a report from SentinelOne showed. Such a loader not only ensures persistence and tracks the presence of malware but also downloads a new version in the event of incongruence between the hash values, with researchers noting the mechanism to guarantee the spread of an uncorrupted payload. "The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor's continued use of certain TTPs from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods suggest these are offering continued success in environments lacking sufficient endpoint protection," said researchers.



