Warning: Trojanised Mac Apps Target Unsuspecting Users with ZuRu Malware

A significant cybersecurity threat is circulating, with hackers actively poisoning search results to distribute compromised macOS applications bundled with a sophisticated trojan known as macOS.ZuRu. SentinelOne, a leading cybersecurity firm, has issued a stark warning about this campaign, which preys on users unknowingly downloading seemingly legitimate software.

The modus operandi involves injecting the macOS.ZuRu trojan into popular Mac utilities, particularly those favored by developers and IT professionals. In a recent instance, the secure shell (SSH) client and remote server-management tool, Termius, was found to be trojanised. This tactic allows the malware to operate covertly in the background, establishing persistent access and enabling attackers to remotely download additional harmful components and execute commands on the infected machine.

The macOS.ZuRu backdoor is not new, having first emerged in China in July 2021, initially spread through tainted Baidu search results. Since then, it has consistently targeted popular macOS development tools like SecureCRT, Navicat, and Microsoft’s Remote Desktop for Mac. Recent variants demonstrate increased sophistication, boasting enhanced remote command and control capabilities.

Attackers cleverly bypass macOS's native code signing protections by replacing the original developer's signature with their own temporary one, making the compromised applications appear legitimate to the operating system. SentinelOne researchers highlight that environments lacking robust endpoint protection are particularly vulnerable to these attacks.

The malicious bundles are subtly larger than their clean counterparts, a detail easily overlooked by users. For example, a trojanised Termius disk image was found to be 248MB, slightly larger than the legitimate 225MB version, due to the added malicious binaries. Upon execution, both the malware loader and the genuine application launch simultaneously, ensuring the victim remains unaware of the compromise.

Alarmingly, this updated malware variant targets the latest macOS versions, specifically requiring Sonoma 14.1 (released October 2023) or later. Once established, the ZuRu trojan, leveraging the open-source Khepri beacon for command and control, grants attackers extensive capabilities, including file transfer, system reconnaissance, process execution and control, and remote command execution with output capture.

Given the stealthy nature and advanced capabilities of macOS.ZuRu, how can average Mac users and professionals effectively verify the authenticity of applications downloaded from third-party sources and protect themselves from such sophisticated supply chain attacks?