The macOS.ZuRu malware has resurfaced with a new variant that targets macOS users by distributing a trojanized version of the Termius SSH client application. This malware campaign leverages a modified Khepri Command and Control (C2) framework to conduct post-infection activities. The infection vector involves a malicious .dmg disk image containing a compromised Termius.app, which has been altered to include two additional executables embedded within the Termius Helper.app. This new trojanization method allows the malware to masquerade as a legitimate application, increasing the likelihood of user installation and evasion of detection mechanisms. Once installed, the malware establishes persistence on the infected system via a LaunchDaemon, ensuring it runs continuously across reboots. It also incorporates an MD5-based updater mechanism to maintain and update its payload stealthily. The payload itself is a modified Khepri beacon that enables the threat actor to perform a variety of malicious actions, including file transfers, system reconnaissance, and arbitrary command execution. The campaign specifically targets developers and IT professionals, likely due to their frequent use of SSH clients like Termius and their access to sensitive infrastructure. The malware’s capabilities align with multiple MITRE ATT&CK techniques such as T1021.004 (Remote Services: SSH), T1553.001 (Subvert Trust Controls: Code Signing), T1082 (System Information Discovery), T1140 (Deobfuscate/Decode Files or Information), T1543.004 (Create or Modify System Process: Launch Daemon), T1057 (Process Discovery), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1059.004 (Command and Scripting Interpreter: AppleScript), T1027 (Obfuscated Files or Information), T1071.001 (Application Layer Protocol: Web Protocols), T1105 (Ingress Tool Transfer), and T1569.002 (System Services: Service Execution). Indicators of compromise include specific file hashes and domains used for C2 communications. Although no CVE or known exploits in the wild are reported, the malware’s stealthy persistence and targeting of privileged users make it a significant threat to macOS environments.

For European organizations, particularly those employing macOS devices in development, IT operations, or infrastructure management, this threat poses a substantial risk. The malware’s ability to establish persistence and execute arbitrary commands can lead to unauthorized access to sensitive systems, data exfiltration, and lateral movement within corporate networks. Developers and IT professionals are prime targets, meaning organizations with sizable technical teams using Termius or similar SSH clients are at elevated risk. Compromise could result in intellectual property theft, disruption of critical services, and potential exposure of confidential customer or business data. Additionally, the malware’s evasion techniques and updater mechanism complicate detection and remediation efforts, increasing dwell time and potential damage. The use of legitimate-looking applications as infection vectors may also undermine user trust and complicate incident response. Given the increasing adoption of macOS in enterprise environments across Europe, the threat could impact sectors such as finance, technology, telecommunications, and government agencies, where secure remote access tools are prevalent.

To mitigate this threat effectively, European organizations should implement a multi-layered defense strategy tailored to the specifics of this campaign: 1) Enforce strict application whitelisting policies to prevent execution of unauthorized or trojanized applications, especially for critical tools like SSH clients. 2) Verify the integrity and authenticity of software downloads by using official sources and validating digital signatures before installation. 3) Deploy endpoint detection and response (EDR) solutions with capabilities to detect anomalous LaunchDaemon creations, suspicious helper app modifications, and unusual network communications to known malicious domains. 4) Monitor network traffic for connections to the identified C2 domains (e.g., ctl01.macnavicat.com, ctl01.termius.fun) and block or alert on such communications. 5) Educate developers and IT staff on the risks of installing software from untrusted sources and encourage the use of managed software deployment tools. 6) Implement robust logging and monitoring of system processes and file changes, focusing on md5 hash changes indicative of updater mechanisms. 7) Regularly audit macOS systems for persistence mechanisms such as LaunchDaemons and unauthorized helper app modifications. 8) Employ network segmentation to limit the lateral movement potential of compromised endpoints. 9) Maintain up-to-date backups and incident response plans tailored to macOS environments to enable rapid recovery if infection occurs.