Mac Users Targeted by Trojanized iTerm2 App

Earlier this month, a user on Chinese question-and-answer website Zhihu reported that a search engine result for the keyword “iTerm2” led to a fake website called that mimics the legitimate A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in When this app is executed, it downloads and runs, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim’s machine.

Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib. This, in turn, downloads and runs other components, including the aforementioned script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. This blog entry covers the malware’s details.

Read more…
Source: Trend Micro