Researcher Finds Malware Targeting Mac Users via Baidu AdThe Ad, Now Deleted, Lured Users to a Phishing Website to Harvest Credentials
Chinese security researcher Pan Xiaopan has discovered a malware targeting Mac users, which was spread via a paid advertisement on search engine Baidu, to harvest user credentials. The advertisement has now been taken down.
The sponsored link, which appeared on the Chinese search engine when a user query included the keyword 'iTerm2', led users to a phishing website, Xiaopan says. The user would then be prompted to download the iTerm2 app, which in reality was the malware disguised as the macOS terminal emulator, he says.
The sponsored link has now been taken down by Baidu's security team, while Apple has revoked the code signing certificate used by the malware, says Patrick Wardle, who creates security tools for macOS.
Baidu and Apple did not immediately respond to Information Security Media Group's request for comment.
iTerm2's popularity, which has grown over the years - especially among developers and security researchers - makes it "an ideal app to Trojanize and infect people who may have access to development system, research intelligence, etc," according to a blog post by Thomas Reed, a Mac expert at cybersecurity firm Malwarebytes.
The use of Chinese language likely means that the malware targets China and other Southeast Asian countries, says Reed, adding that it was tough to confirm as "Malwarebytes has a relatively small install base" in the region.
Sponsored Ad Lure
Xiaopan first observed the malicious advertising link on Sept. 8, when he searched for iTerm2 on Baidu. Sponsored ads related to the search query are usually displayed at the top of a search results page, followed by organic search results. The case here was no different - Baidu displayed the malicious ad link at the top of the search results page, says Xiaopan.
The malicious link was disguised using a domain name iTerm2[.]net, similar to the original iTerm2[.]com, he says. "The fact that the malicious site masquerades as the legitimate one is unsurprising, as the malware’s attack vector is based on simple trickery," says Wardle.
On clicking the download option on the phishing website, an iTerm2.dmg disk image that Xiaopan refers as a "really poisonous file" was downloaded from the domain kaidingle[.]com.
This disk image should have been the first red flag, says Malwarebytes' Reed. The real iTerm2 is distributed in a zip file, he adds.
"For an app with a very professionally designed website, the disk image file is quite unpolished. It also includes a link to the applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files," Reed says.
Xiaopan's security software blocked further execution of the file, which he says alerted him to the possible presence of a malware. Going past the security block, he discovered that the malicious software connected to a 47.75.123[.]111 address, where it executed a file named g[.]py. After execution, "various information [from the user's machine] was collected and uploaded to an Alibaba Cloud-related server," he says.
But Xiaopan says his "limited ability" prevented him from precisely confirming where the malware code resided in the [.]dmg file.
Wardle followed Xiaopan's steps and found that the fake iTerm application in the downloaded image files had been signed by a certain Jun Bi (AQPZ6F3ASY), whose code signing certificate has now been revoked by Apple. The certificate was not notarized, which means that it was not checked by Apple for malicious components, he says.
The legitimate iTerm2 application is signed by George Nachman and is fully notarized, Wardle adds.
The researcher then analyzed files, such as several Mach-O binaries of both the legitimate and malicious versions of the iTerm2 application. He says he found that the only difference was a file named libcrypto[.]2[.]dylib, which on execution connected to 47.75.123[.]111 address, from where it downloaded the malicious Python file and a mach-O binary.
At the time, this dylib file was not flagged as malicious by antivirus engines, Wardle says. He tested the signatures on VirusTotal, an antivirus search engine that checks for signatures in multiple antivirus software.
Analyzing the g[.]py file and the mach-O binary named GoogleUpdate, Wardle says he found that the former was a Python file that loads the malware and the binary establishes contact with a Cobalt Strike server on the 47[.]75[.]96[.]198[:]443.
Wardle says he found that the Python code exfiltrates vital information from the victim's computer, including machine serial number, documents and folders, SSH credentials, victim's keychains that may contain credentials to other personal accounts, and the config file for SecureCRT and iTerm2, which are both terminal emulator programs.
"The primary goal of the g[.]py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization. Presumably, the backdoor provided by the Google Update process would be used to perform that lateral movement and infect other machines," says Reed.
During his study, Wardle says he found that Microsoft Remote Desktop (com.microsoft.rdc.macos), Secure CRT (SecureCRT.dmg) and Navicat Premium (Navicat15_cn.dmg) were also Trojanized using the same libcrypto[.]2[.]dylib file.
A user on the Zhihu forum, where Xiaopan originally posted his research findings, says that Baidu's security team initially posted an analysis article [of the incident], but deleted it on the same day. Another user claims that the owner of the promotion account through which the sponsored link was posted is registered under the name Jixi Heiwo Ecological Agriculture Technology Co., Ltd.
While the researchers did not offer specific remediation measures for such malware campaigns, a Zhihu forum user suggests using an ad-blocking plug-in that blocks sponsored ads and content.