Earlier this month, a user on Chinese question-and-answer website Zhihu reported that a search engine result for the keyword “iTerm2” led to a fake website called item2.net that mimics the legitimate iterm2.com. A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in iterm2.net. When this app is executed, it downloads and runs g.py, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim’s machine.
Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib. This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. This blog entry covers the malware’s details.
Source: Trend Micro