A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked version of Termius.app. It adds two executables to the embedded Termius Helper.app and uses a new method to trojanize legitimate applications. The malware installs persistence via a LaunchDaemon and includes an md5 updater mechanism. The payload obtained from the C2 is a modified Khepri beacon with capabilities for file transfer, system reconnaissance, and command execution. The threat actor continues to target developers and IT professionals, adapting their techniques to evade detection. Author: AlienVault
Related Tags:
zuru
termius
khepri
khepri c2
c2 beacon
T1543.004
T1553.001
T1569.002
T1021.004
Associated Indicators:
FA9B89D4EB4D47D34F0F366750D55603813097C1
A7A9B0F8CC1C89F5C195AF74CE3ADD74733B15C0