hackers are using legitimate Mac tools to spread the dangerous macOS.ZuRu trojans, disguised in popular apps downloaded to trick users into installing malware, security experts have warned.

1752547459416.png

Trojan camouflage in the famous SSH application: Termius

During the recent campaign, the attack team inserted the ZuRu trojan into the installer of Termius, a cross-platform SSH application commonly used to manage remote servers.

Once installed, the macOS.ZuRu trojan will work in the background, maintaining unauthorized access, and can download additional malicious components and execute commands remotely from the hacker’s server.

First detected in China in July 2021 through a Baidu search, the trojan has been used to infect popular macOS developer tools such as SecureCRT, Navicat, and Microsoft Remote Desktop for Mac.

New, more sophisticated variants and effective user deception

Since last year, pirated apps have started containing new ZuRu variants with stronger remote control and overcoming traditional macOS protections.

The latest variant of macOS. ZuRu continues its propensity to forge legitimate mac OS applications, especially those popular among programmers and IT professionals. The attack team used the technique of replacing the developer’s original code signature with a temporary one created by them, in order to bypass Apple’s authentication system and install malicious code into the app without the user’s knowledge.

Campaign targets system without end protection solutions, focusing on latest macOS users

According to experts’ analysis, the macOS.ZuRu trojan-spreading campaign primarily targets macOC systems that are not fully equipped with endpoint protection. The malicious code is distributed via the.dmg setup file, which contains the trojanized version of the legal application Termius.app, the popular SSH server management tool.

Compared to the genuine version (~225MB), the trojanized version has a larger capacity (~ 248MB ), due to being embedded with additional malicious payloads. After the user runs the.dmg file, the trojan automatically activates the loader concurrently with the original Termius application, in order to maintain its anonymity and avoid suspicion from the victim.

The new variant of ZuRu is particularly compatible with modern macOS systems, requiring Sonoma version 14.1 (released October 2023) or later for implementation. Once set up successfully, malware is capable of maintaining stable C2 (command – and – control) connections, and performs a variety of intruders such as:

  • Leakage and data extraction along with the ability to transmit files from an infiltrated system
  • Gather system information
  • Manipulate system processes
  • Allow remote command execution and record return from compromised system

The Trojan uses Khepri, an open-source beacon that underpins the remote control mechanism and communication with the C2 server. In recent campaigns, the attack group has used malicious domains such as:

  • termius [.]fun
  • termius [.]info
1752547491418.png

WhiteHat expert: Beware macOS app containing ZuRu code
In light of the growing threat from malicious code campaigns hidden in legitimate macOS applications, typically macO S trojans. ZuRu, WhiteHat experts recommend:

1. Note for user cSecondaries and businesses:

Never download software from an unknown source

  • Do not access or download apps from unofficial websites, especially those using fraudulent domain names such as termius[.]fun or termius [.]info.
  • Avoid downloading software from ad search results, especially from less popular search engines.

Install only apps from the App Store or official website

  • Always download the software from the Mac App Store or the developer’s official website to ensure the integrity and safety of the installer package.
  • Avoid using crack, piracy, or unrecognized shares.

Check the code signature of the application before installing

  • For advanced users, it is recommended to use the codesign or spctl tool to check if the application is legally signed by the developer.
  • Any app with a changed code signature or “Ad Hoc” signature is a sign of suspicion.

Install trusted endpoint protection

  • Use specialized macOS security solutions from reputable vendors such as ESET, Bitdefender, CrowdStrike, SentinelOne, etc..
  • Prioritize software with behavioral detection and app access control.

Update macOS and security software regularly

  • Always update macOS to the latest version to receive security patches from Apple.
  • Enable automatic updates for antivirus software and related security applications.

2. Notes for general users:

If you’ve previously downloaded an app from obscure sources or recently installed server management software such as Termius from an App Store site, do the following:

  • Uninstall apps immediately, especially if the app is showing signs of abnormality (lost startup, system activity, etc.).
  • Scan your entire system with the latest antivirus software.
  • Contact a cybersecurity expert or an internal IT team if you are using a computer in a corporate setting.

The legal forgery of the tool along with its high compatibility and sophisticated hiding mechanism made ZuRu one of the most worrying threats to macOS users, especially IT developers and professionals working in environments lacking advanced defenses.

According to Cyber News