Once executed, the malware connects to its server and receives these instructions from it: This is a clever method for repacking legitimate apps that we have not seen before. The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.Īccording to Objective-see’s blog post, the malicious codes contained in the libcrypto.2.dylib file are executed automatically when the victim runs the trojanized iTerm2 app. The user is redirected to this download URL for iTerm.dmg regardless of the app version the user selects to download from the fake website the real website has different URLs and files for various versions. Instead, the website contains a link, hxxp://from which users are able to download a macOS disk image file (DMG) called iTerm.dmg.
However, the malicious file is not hosted on this website directly. The trojanized appĪs of September 15, is still active. This blog entry covers the malware’s details. This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib.