{"id":69927,"date":"2021-10-18T09:00:00","date_gmt":"2021-10-18T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=69927"},"modified":"2021-10-19T14:09:05","modified_gmt":"2021-10-19T06:09:05","slug":"mac%e7%94%a8%e6%88%b6%e7%95%b6%e5%bf%83%e5%b1%b1%e5%af%a8%e7%89%88-iterm2-app%e7%9a%84%e7%b6%b2%e8%b7%af%e9%87%a3%e9%ad%9a%e6%94%bb%e6%93%8a","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=69927","title":{"rendered":"Mac\u7528\u6236\u7576\u5fc3\u5c71\u5be8\u7248 iTerm2 App\u7684\u7db2\u8def\u91e3\u9b5a\u653b\u64ca"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u4e00\u6b3e\u507d\u88dd iTerm2 App\u7684\u61c9\u7528\u7a0b\u5f0f\u6703\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u8edf\u9ad4\uff0c\u4e26\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u88e1\u6536\u96c6\u500b\u4eba\u8cc7\u6599\u3002<\/p><\/blockquote>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20banner.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u5728\u4e5d\u6708\u521d\uff0c<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/408746101\">\u4e2d\u570b\u554f\u7b54\u7db2\u7ad9\u77e5\u4e4e\u4e0a\u6709\u4e00\u4f4d\u4f7f\u7528\u8005\u56de\u5831<\/a>\u641c\u5c0b\u95dc\u9375\u5b57iTerm2\u6703\u51fa\u73fe\u4e00\u500b\u5c71\u5be8\u7db2\u7ad9<em>item2.net<\/em>\uff0c\u5b83\u507d\u88dd\u6210\u5408\u6cd5\u7684<em>iterm2.com<\/em>\uff08\u5716 1\uff09\u3002\u4f46\u900f\u904e<em>iterm2.net<\/em>\u4e0a\u7684\u9023\u7d50\u6703\u4e0b\u8f09\u5230\u60e1\u610f\u7248\u672c\u7684iTerm2 App\uff08macOS \u7d42\u7aef\u6a21\u64ec\u5668\uff09\u3002\u7576\u57f7\u884c\u6b64\u61c9\u7528\u7a0b\u5f0f\u6642\uff0c\u5b83\u6703\u4e0b\u8f09\u4e26\u57f7\u884c<em>g.py<\/em>\uff0c\u4e00\u500b\u4f86\u81ea47[.]75[.]123[.]111\u7684\u60e1\u610fPython\u8173\u672c\u3002\u9019\u60e1\u610f\u8173\u672c\u88ab\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u70baTrojanSpy.Python.ZURU.A\uff0c\u5b83\u6703\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u4e0a\u6536\u96c6\u500b\u4eba\u8cc7\u6599\u3002<\/p>\n\n\n\n<p>\u4e00\u6b3e\u507d\u88dd iTerm2 App\u7684\u61c9\u7528\u7a0b\u5f0f\u6703\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u8edf\u9ad4\uff0c\u4e26\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u88e1\u6536\u96c6\u500b\u4eba\u8cc7\u6599\u3002<\/p>\n\n\n\n<p>\u5728\u672c\u6708\u521d\uff0c<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/408746101\">\u4e2d\u570b\u554f\u7b54\u7db2\u7ad9\u77e5\u4e4e\u4e0a\u6709\u4e00\u4f4d\u4f7f\u7528\u8005\u56de\u5831<\/a>\u641c\u5c0b\u95dc\u9375\u5b57iTerm2\u6703\u51fa\u73fe\u4e00\u500b\u5c71\u5be8\u7db2\u7ad9<em>item2.net<\/em>\uff0c\u5b83\u507d\u88dd\u6210\u5408\u6cd5\u7684<em>iterm2.com<\/em>\uff08\u5716 1\uff09\u3002\u4f46\u900f\u904e<em>iterm2.net<\/em>\u4e0a\u7684\u9023\u7d50\u6703\u4e0b\u8f09\u5230\u60e1\u610f\u7248\u672c\u7684iTerm2 App\uff08macOS \u7d42\u7aef\u6a21\u64ec\u5668\uff09\u3002\u7576\u57f7\u884c\u6b64\u61c9\u7528\u7a0b\u5f0f\u6642\uff0c\u5b83\u6703\u4e0b\u8f09\u4e26\u57f7\u884c<em>g.py<\/em>\uff0c\u4e00\u500b\u4f86\u81ea47[.]75[.]123[.]111\u7684\u60e1\u610fPython\u8173\u672c\u3002\u9019\u60e1\u610f\u8173\u672c\u88ab\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u70baTrojanSpy.Python.ZURU.A\uff0c\u5b83\u6703\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u4e0a\u6536\u96c6\u500b\u4eba\u8cc7\u6599\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2001.png\" alt=\"Figure 1. The fraudulent website iterm2.net\"\/><figcaption>\u5716 1. \u8a50\u9a19\u7db2\u7ad9iterm2.net<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Objective-see\u4e4b\u524d<a href=\"https:\/\/objective-see.com\/blog\/blog_0x66.html\">\u767c\u8868\u4e00\u7bc7\u95dc\u65bc\u6b64\u60e1\u610f\u8edf\u9ad4\u7684\u6587\u7ae0<\/a>\uff0c\u5206\u6790\u4e86\u99ed\u5ba2\u5982\u4f55\u91cd\u65b0\u5c01\u88ddiTerm2 App\u4f86\u8f09\u5165\u60e1\u610f\u7684<em>libcrypto.2.dylib<\/em>\u3002\u5b83\u6703\u4e0b\u8f09\u4e26\u57f7\u884c\u5176\u4ed6\u7d44\u4ef6\uff0c\u5305\u62ec\u524d\u9762\u63d0\u5230\u7684<em>g.py<\/em>\u8173\u672c\u548c\u540d\u70ba\u300cGoogleUpdate\u300d\u7684Mach-O\u6a94\u6848\uff08\u88e1\u9762\u5305\u542b\u4e86Cobalt Strike beacon\uff09\u3002\u9019\u7bc7\u6587\u7ae0\u63d0\u4f9b\u4e86\u60e1\u610f\u8edf\u9ad4\u7684\u8a73\u7d30\u8cc7\u8a0a\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<!--more-->\n\n\n\n<p><strong>\u6728\u99ac\u5316\u61c9\u7528\u7a0b\u5f0f<\/strong><\/p>\n\n\n\n<p>\u622a\u81f39\u670815\u65e5\uff0c<em>iterm2.net<\/em>\u4ecd\u7136\u6d3b\u8005\u3002\u4e0d\u904e\u60e1\u610f\u6a94\u6848\u4e26\u6c92\u6709\u76f4\u63a5\u653e\u5728\u6b64\u7db2\u7ad9\u4e0a\u3002\u6b64\u7db2\u7ad9\u5305\u542b\u4e86\u9023\u7d50<em>hxxp:\/\/www.kaidingle.com\/iTerm\/iTerm.dmg<\/em>\uff0c\u8b93\u4f7f\u7528\u8005\u4e0b\u8f09\u540d\u70ba<em>iTerm.dmg<\/em>\u7684macOS\u78c1\u789f\u6620\u50cf\u6a94\uff08DMG\uff09\u3002\u7121\u8ad6\u4f7f\u7528\u8005\u9078\u64c7\u5f9e\u5c71\u5be8\u7db2\u7ad9\u4e0b\u8f09\u54ea\u500b\u7248\u672c\u7684\u61c9\u7528\u7a0b\u5f0f\uff0c\u90fd\u6703\u88ab\u5c0e\u5411<em>iTerm.dmg<\/em>\u7684\u4e0b\u8f09\u7db2\u5740\uff1b\u771f\u6b63\u7684<em>iterm2.com<\/em>\u7db2\u7ad9\u70ba\u4e0d\u540c\u7248\u672c\u63d0\u4f9b\u4e86\u4e0d\u540c\u7db2\u5740\u548c\u6a94\u6848\u3002\u800c\u4e14\u5f9e\u5408\u6cd5\u7db2\u7ad9\u4e0b\u8f09\u7684\u6a94\u6848\u63a1\u7528ZIP\u6a94\u6848\u683c\u5f0f\uff0c\u800c\u975e\u8a50\u9a19\u7db2\u7ad9\u7684DMG\u6a94\u6848\uff08\u5982\u57162\u6240\u793a\uff09\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2002-2.png\" alt=\"Figure 2. The file downloaded from the fake website (left) and the official website (right)\"\/><figcaption>\u57162. \u5f9e\u5c71\u5be8\u7db2\u7ad9\uff08\u5de6\uff09\u548c\u5b98\u7db2\uff08\u53f3\uff09\u4e0b\u8f09\u7684\u6a94\u6848<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6bd4\u8f03DMG\u548cZIP\u6a94\u6848\u7684\u76ee\u9304\u7d50\u69cb\u53ef\u4ee5\u770b\u51fa\u8a31\u591a\u4e0d\u540c\u4e4b\u8655\uff1a<\/p>\n\n\n\n<ul><li>\u6728\u99ac\u5316iTerm2 App\u7684\u6240\u6709Mach-O\u6a94\u6848\u90fd\u662f\u7528Apple Distribution\u6191\u8b49\uff08\u5982\u5716 3 \u6240\u793a\uff09\uff0c\u800c\u5408\u6cd5iTerm2.app\u7684\u6a94\u6848\u4f7f\u7528Developer ID\u61c9\u7528\u7a0b\u5f0f\u6191\u8b49\u9032\u884c\u7a0b\u5f0f\u78bc\u7c3d\u7ae0\u3002\u6839\u64daApple\u7684\u6587\u4ef6\uff0c\u958b\u767c\u8005\u7528Apple Distribution\u6191\u8b49\u7c3d\u7ae0\u61c9\u7528\u7a0b\u5f0f\u53ea\u6709\u5728\u9001\u5230App Store\u4e4b\u524d\uff0c\u56e0\u6b64\u5f9eApp Store\u4e0b\u8f09\u7684\u61c9\u7528\u7a0b\u5f0f\u901a\u5e38\u6c92\u6709Apple Distribution\u6191\u8b49\u3002<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2003.png\" alt=\"Figure 3. Trojanized iTerm2 app code signing\"\/><figcaption>\u5716 3. \u6728\u99ac\u5316iTerm2 App\u7a0b\u5f0f\u78bc\u7c3d\u7ae0<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul><li>\u6728\u99ac\u5316iTerm2 App\u5728\u5176Frameworks\u8cc7\u6599\u593e\u88e1\u5305\u542b\u4e86\u5408\u6cd5\u7248\u672c\u4e0d\u5b58\u5728\u7684<em>libcrypto.2.dylib<\/em>\uff08\u5176SHA-256\u96dc\u6e4a\u503c\u70ba2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef\uff09\uff0c\u5982\u5716 4 \u6240\u793a\u3002<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2004.png\" alt=\"Figure 4. The libcrypto.2.lib file added in the trojanized iTerm2 app\" width=\"840\" height=\"229\"\/><figcaption>\u5716 4. \u6728\u99ac\u5316iTerm2 App\u52a0\u5165<em>libcrypto.2.lib<\/em><\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul><li>\u5728\u6728\u99ac\u5316iTerm2 App\u88e1\uff0c\u4e3bMach-O\u6a94\u88e1\u6709\u591a\u4e00\u500b\u547d\u4ee4<em>LC_LOAD_DYLIB<\/em>\u6703\u8f09\u5165<em>libcrypto.2.dylib<\/em>\uff08\u5982\u5716 5 \u6240\u793a\uff09\u3002<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2005.png\" alt=\"Figure 5. The load command LC_LOAD_DYLIB loads the file libcrypto.2.dylib\"\/><figcaption>\u5716 5. \u547d\u4ee4LC_LOAD_DYLIB\u6703\u8f09\u5165libcrypto.2.dylib<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6839\u64daObjective-see\u7684\u6587\u7ae0\uff0c\u7576\u53d7\u5bb3\u8005\u57f7\u884c\u6728\u99ac\u5316iTerm2 App\u6642\uff0c<em>libcrypto.2.dylib<\/em>\u5167\u7684\u60e1\u610f\u7a0b\u5f0f\u78bc\u6703\u81ea\u52d5\u57f7\u884c\u3002 \u9019\u662f\u4e00\u7a2e\u6211\u5011\u4e4b\u524d\u6c92\u770b\u904e\u7684\u91cd\u65b0\u5c01\u88dd\u5408\u6cd5\u61c9\u7528\u7a0b\u5f0f\u65b9\u6cd5\u3002<\/p>\n\n\n\n<p>\u4e00\u65e6\u57f7\u884c\uff0c\u60e1\u610f\u8edf\u9ad4\u6703\u9023\u4e0a\u4f3a\u670d\u5668\u4e26\u63a5\u6536\u4e0b\u5217\u6307\u4ee4\uff1a<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2021\/10\/\u6307\u4ee4.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"634\" height=\"54\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2021\/10\/\u6307\u4ee4.jpg\" alt=\"\" class=\"wp-image-69950\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2021\/10\/\u6307\u4ee4.jpg 634w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2021\/10\/\u6307\u4ee4-300x26.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2021\/10\/\u6307\u4ee4-30x3.jpg 30w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/a><\/figure>\n\n\n\n<ul type=\"1\"><li>\u4e0b\u8f09<em>g.py<\/em>\u8173\u672c\u5230<em>\/tmp\/g.py<\/em>\u4e26\u57f7\u884c<\/li><li>\u4e0b\u8f09\u300cGoogleUpdate\u300d\u5230<em>\/tmp\/GoogleUpdate<\/em>\u4e26\u57f7\u884c<\/li><li>\u4f7f\u7528<em>g.py<\/em>\u8173\u672c\u6536\u96c6\u8cc7\u6599<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Python\u8173\u672c<em>g.py<\/em>\u6703\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u6536\u96c6\u4e0b\u5217\u7cfb\u7d71\u8cc7\u6599\u548c\u6a94\u6848\uff0c\u7136\u5f8c\u50b3\u9001\u5230\u4f3a\u670d\u5668\uff1a<\/p>\n\n\n\n<ol type=\"1\"><li>\u4f5c\u696d\u7cfb\u7d71\u8cc7\u8a0a<\/li><li>\u4f7f\u7528\u8005\u540d\u7a31<\/li><li>\u5df2\u5b89\u88dd\u61c9\u7528\u7a0b\u5f0f<\/li><li>\u672c\u5730IP\u5730\u5740<\/li><li>\u4e0b\u5217\u6a94\u6848\u548c\u8cc7\u6599\u593e\u526f\u672c\uff1a<ol><li><em>~\/.bash_history&#8217;<\/em><\/li><\/ol><ol><li><em>~\/.zsh_history<\/em><\/li><\/ol><ol><li><em>~\/.gitConfig<\/em><\/li><\/ol><ol><li><em>\/etc\/hosts<\/em><\/li><\/ol><ol><li><em>~\/.ssh<\/em><\/li><\/ol><ol><li><em>~\/.zhHistory<\/em><\/li><\/ol><ol><li><em>~\/Library\/Keychains\/Login.keychain-db<\/em><\/li><\/ol><ol><li><em>~\/Library\/Application Support\/VanDyke\/SecureCRT\/Config\/<\/em><\/li><\/ol><ol><li><em>~\/Library\/Application Support\/iTerm2\/SavedState\/<\/em><\/li><\/ol><\/li><li>\u4e0b\u5217\u8cc7\u6599\u593e\u5167\u7684\u5167\u5bb9\uff1a<ol><li><em>~\/ &#8211; {<\/em><em>\u76ee\u524d\u4f7f\u7528\u8005\u7684<\/em><em>\u5bb6<\/em><em>\u76ee\u9304}<\/em><\/li><\/ol><ol><li><em>~\/Desktop<\/em><\/li><\/ol><ol><li><em>~\/Documents<\/em><\/li><\/ol><ol><li><em>~\/Downloads<\/em><\/li><\/ol><ol><li><em>\/Applications<\/em><\/li><\/ol><\/li><\/ol>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u5176\u4ed6\u6728\u99ac\u5316\u61c9\u7528\u7a0b\u5f0f\u548c\u5047\u7db2\u7ad9<\/strong><\/p>\n\n\n\n<p><br>\u6211\u5011\u9032\u4e00\u6b65\u5206\u6790\u6728\u99ac\u5316iTerm2 App\u7684Apple Distribution\u6191\u8b49\u5f8c\u5728VirusTotal\u4e0a\u627e\u5230\u985e\u4f3c\u7684\u6728\u99ac\u5316\u61c9\u7528\u7a0b\u5f0f\uff08\u8868 1\uff09\uff0c\u9019\u4e9b\u61c9\u7528\u7a0b\u5f0f\u90fd\u4f7f\u7528\u76f8\u540c\u65b9\u6cd5\u6728\u99ac\u5316\u3002<\/p>\n\n\n\n<p>\u8868 1. \u5728VirusTotal\u4e0a\u767c\u73fe\u7684\u5176\u4ed6\u6728\u99ac\u5316\u61c9\u7528\u7a0b\u5f0f<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td><strong>\u6a94\u540d<\/strong><\/td><td><strong>SHA-256<\/strong><strong>\u96dc\u6e4a\u503c<\/strong><\/td><td><strong>\u5075\u6e2c\u540d\u7a31<\/strong><\/td><\/tr><tr><td><em>iTerm.app.zip<\/em><\/td><td>5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>SecureCRT.dmg<\/em><\/td><td>ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132<\/td><td>Trojan.MacOS.ZuRu.PFH<\/td><\/tr><tr><td><em>SecureCRT.dmg<\/em><\/td><td>1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921<\/td><td>Trojan.MacOS.ZuRu.PFH<\/td><\/tr><tr><td><em>Microsoft Remote Desktop.dmg<\/em><\/td><td>5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>Navicat15_cn.dmg<\/em><\/td><td>6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>Navicat15_cn.dmg<\/em><\/td><td>91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u5728 VirusTotal\u641c\u5c0b<em>iterm2.net<\/em>\u6240\u7528\u7684SSL\u6307\u7d0b\u5f8c\u767c\u73fe\u4e86\u5176\u4ed6\u8a50\u9a19\u7db2\u7ad9\u3002\u5982\u57166\u6240\u793a\uff0c\u9019\u4e9b\u7db2\u7ad9\u90fd\u89e3\u6790\u5230\u76f8\u540c\u7684IP\u5730\u5740\uff0c43[.]129[.]218[.]115\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2006.png\" alt=\"Figure 6. Other fake websites found on VirusTotal\" width=\"840\" height=\"420\"\/><figcaption>\u5716 6. \u5728VirusTotal\u4e0a\u767c\u73fe\u7684\u5176\u4ed6\u5c71\u5be8\u7db2\u7ad9<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6211\u5011\u66fe\u7d93\u53ef\u4ee5\u9023\u4e0a\u5176\u4e2d\u4e00\u500b\u5047\u7db2\u7ad9<em>snailsvn.cn<\/em>\uff0c\u4f46\u7576\u6642\u5176\u7db2\u9801\u7684\u4e0b\u8f09\u9023\u7d50\u662f\u7a7a\u7684\uff0c\u56e0\u6b64\u7121\u6cd5\u78ba\u5b9a\u8a72\u7db2\u7ad9\u662f\u5426\u66fe\u88ab\u7528\u4f86\u6563\u64ad\u6728\u99ac\u5316\u7684SnailSVN\uff0cMac OS X\u4e0a\u7684Apache Subversion\uff08SVN\uff09\u5ba2\u6236\u7aef\uff08\u5716 7\uff09\u3002\u4f46\u7576\u672c\u6587\u64b0\u5beb\u6642\uff0c\u9019\u4e9b\u7db2\u57df\u90fd\u7121\u6cd5\u9023\u4e0a\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2007.png\" alt=\"Figure 7. The fake SnailSVN website\"\/><figcaption>\u5716 7. \u507d\u9020\u7684SnailSVN\u7db2\u7ad9<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u4e0b\u8f09\u4f3a\u670d\u5668<\/strong><\/p>\n\n\n\n<p>\u7528\u4f86\u4ee3\u7ba1\u6728\u99ac\u5316\u6a94\u6848\u7684\u4f3a\u670d\u5668<em>kaidingle[.]com<\/em>\u662f\u57289\u67087\u65e5\u8a3b\u518a\uff0c\u76ee\u524d\u4ecd\u8655\u5728\u6d3b\u52d5\u72c0\u614b\u3002\u6839\u64da VirusTotal\uff0c\u5b83\u9664\u4e86<em>iterm.dmg<\/em>\u9084\u4ee3\u7ba1\u4e86\u5176\u4ed6DMG\u6a94\u6848\uff0c\u5982<em>SecureCTR.dmg<\/em>\u548c<em>Navicat15_cn.dmg<\/em>\uff08\u5716 8\uff09\u3002\u622a\u81f39\u670818\u65e5\uff0c\u5f8c\u9762\u5169\u500bDMG\u6a94\u6848\u4ecd\u53ef\u5f9e\u4f3a\u670d\u5668\u4e0b\u8f09\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2008.png\" alt=\"Figure 8. URLs relating with download server\" width=\"643\" height=\"201\"\/><figcaption>\u5716 8. \u4e0b\u8f09\u4f3a\u670d\u5668\u76f8\u95dc\u7684\u7db2\u5740<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6839\u64da\u4f3a\u670d\u5668\u5728WHOIS\u7684\u67e5\u8a62\u8cc7\u8a0a\uff0c\u540c\u4e00\u8a3b\u518a\u8005\u540d\u4e0b\u9084\u6709\u56db\u500b\u5176\u4ed6\u7db2\u57df\uff08\u5716 9\uff09\u3002\u4f46\u5230\u76ee\u524d\u70ba\u6b62\uff0c\u9019\u4e9b\u7db2\u57df\u90fd\u6c92\u6709\u8ddf\u60e1\u610f\u8edf\u9ad4\u6709\u95dc\u7684\u8de1\u8c61\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2009.png\" alt=\"Figure 9. Other domains from the same registrant\"\/><figcaption>\u5716 9. \u540c\u4e00\u8a3b\u518a\u8005\u7684\u5176\u4ed6\u7db2\u57df<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668<\/strong><\/p>\n\n\n\n<p>VirusTotal\u5728IP \u5730\u574047[.]75[.]123[.]111\uff08\u8207\u60e1\u610f<em>g.py<\/em>\u8173\u672c\u76f8\u540c\u7684\u5730\u5740\uff09\u4e0b\u8a18\u9304\u4e86\u591a\u500b\u8207\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u76f8\u95dc\u7684\u7db2\u5740\uff08\u5f9e9\u67088\u65e5\u523017\u65e5\uff0c\u5982\u571610\u6240\u793a\uff09\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2010.png\" alt=\"Figure 10. URLs under the second-stage server\"\/><figcaption>\u5716 10. \u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u4e0b\u7684\u7db2\u5740<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u9664\u4e86<em>g.py<\/em>\u8173\u672c\u548c\u300cGoogleUpdate\u300d\u7d44\u4ef6\u662f\u6728\u99ac\u5316iTerm App\u7684\u4e00\u90e8\u5206\uff0c\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u9084\u4ee3\u7ba1\u4e86\u5176\u4ed6\u56db\u500b\u4f5c\u70ba\u6ef2\u900f\u5f8c\u5de5\u5177\u7684Mach-O\u6a94\u6848\uff08\u8868 2\uff09\u3002<\/p>\n\n\n\n<p>\u88682. \u4ee3\u7ba1\u5728\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u7684\u5176\u4ed6Mach-O\u6a94\u6848<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td>\u6a94\u540d<\/td><td>SHA-256\u96dc\u6e4a\u503c<\/td><td>\u5075\u6e2c\u540d\u7a31<\/td><\/tr><tr><td>la<\/td><td>79ef23214c61228a03faea00a1859509ea3bf0247219d65ae6de335fde4061f5<\/td><td>\u958b\u653e\u539f\u59cb\u78bc\u7684\u5167\u7db2\u6ef2\u900f\u6383\u63cf\u5668\u6846\u67b6 &nbsp; (<a href=\"https:\/\/github.com\/k8gege\/LadonGo\">https:\/\/github.com\/k8gege\/LadonGo<\/a>)<\/td><\/tr><tr><td>iox<\/td><td>f005ea1db6da3f56e4c8b1135218b1da56363b077d3be7d218d8284444d7824f<\/td><td>\u7aef\u53e3\u8f49\u767c\u548c\u5167\u7db2\u4ee3\u7406\u670d\u52d9\u5de5\u5177 &nbsp; (<a href=\"https:\/\/github.com\/EddieIvan01\/iox\">https:\/\/github.com\/EddieIvan01\/iox<\/a>)<\/td><\/tr><tr><td>netscan-darwin-amd64&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/td><td>d12ef7f6de48c09e84143e90fe4a4e7b1b3d10cee5cd721f7fdf61e62e08e749<\/td><td>Netscan\u6383\u63cf\u7db2\u8def\u4ee5\u627e\u51fa\u7279\u5b9aIP\/IP\u7bc4\u570d\u5167\u7684\u958b\u555f\u7aef\u53e3\u53ca\u8a72\u7db2\u8def\u6b63\u5728\u4f7f\u7528\u7684IP\u5730\u5740 &nbsp; (<a href=\"https:\/\/github.com\/jessfraz\/netscan\/releases\">https:\/\/github.com\/jessfraz\/netscan\/releases<\/a>)<\/td><\/tr><tr><td>Host<\/td><td>a83edc0eb5a2f1db62acfa60c666b5a5c53733233ce264702a16cb5220df9d4e<\/td><td>Backdoor.MacOS.Wirenet.PFH<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u7684 IP \u5730\u5740\u8ddf\u300cGoogleUpdate\u300d\u9023\u63a5\u7684IP\u5730\u5740\uff0847[.]75[.]96[.]198\uff09\u76f8\u4f3c\u3002\u9019\u5169\u500bIP\u5730\u5740\u5747\u7531\u9999\u6e2f\u963f\u91cc\u5df4\u5df4\u4ee3\u7ba1\u3002\u5982\u5716 11 \u6240\u793a\uff0c47[.]75[.]96[.]198 \u4e0b\u7684\u7db2\u5740\u8ddf\u7b2c\u4e8c\u968e\u6bb5\u4f3a\u670d\u5668\u5167\u7684\u8a3b\u518a\u6642\u9593\u5927\u81f4\u76f8\u540c\uff0c\u9019\u986f\u793a\u9019\u5169\u500b\u4f3a\u670d\u5668\u53ef\u80fd\u662f\u7531\u540c\u4e00\u540d\u99ed\u5ba2\u5efa\u7f6e\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2011.png\" alt=\"Figure 11. URLs under the same server as \u201cGoogleUpdate\u201d\"\/><figcaption>\u5716 11. \u8207\u300cGoogleUpdate\u300d\u540c\u5728\u4e00\u4f3a\u670d\u5668\u4e0b\u7684\u7db2\u5740<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u5ee3\u544a\u7db2\u7ad9<\/strong><\/p>\n\n\n\n<p><br>\u5982\u524d\u9762\u7684\u4f7f\u7528\u8005\u5831\u544a\u6240\u63cf\u8ff0\uff0c\u641c\u5c0b\u5f15\u64ce\u7d50\u679c\u7684\u7b2c\u4e00\u689d\u662f\u5728\u5b50\u7db2\u57df<em>rjxz.jxhwst.top<\/em>\u5e95\u4e0b\u3002\u900f\u904eGoogle\u641c\u5c0b\u6b64\u5730\u5740\u6703\u51fa\u73fe\u5169\u500b\u7d50\u679c\uff0c\u4f46\u6307\u5411\u7db2\u9801\u5b58\u6a94\uff08\u5716 12\uff09\uff0c\u5728\u672c\u6587\u64b0\u5beb\u6642\uff0c\u5b83\u5011\u7684\u5be6\u969b\u7db2\u9801\u5df2\u7d93\u95dc\u9589\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2012.png\" alt=\"Figure 12. Google caches of the two fake sites\"\/><figcaption>\u5716 12. \u5169\u500b\u5c71\u5be8\u7db2\u7ad9\u7684Google\u7db2\u9801\u5b58\u6a94<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u7b2c\u4e00\u500b\u641c\u5c0b\u7d50\u679c\u70ba\u300cMicrosoft Remote Desktop\u300d\uff0c\u5176\u5730\u5740\u70ba<em>hxxp:\/\/rjxz.jxhwst.top\/3<\/em>\uff0c\u4f46\u6839\u64da\u5176\u7db2\u9801\u5b58\u6a94\uff08\u5716 13\uff09\u548c\u7a0b\u5f0f\u78bc\uff08\u5716 14\uff09\uff0c\u6211\u5011\u767c\u73fe\u5b83\u6703\u5c07\u4f7f\u7528\u8005\u5c0e\u5411\u5c71\u5be8\u7db2\u7ad9<em>hxxp:\/\/remotedesktop.vip<\/em>\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2013.png\" alt=\"Figure 13. The cache of the fake \u201cMicrosoft Remote Desktop\u201d page\"\/><figcaption>\u5716 13. &nbsp;\u5047\u300cMicrosoft Remote Desktop\u300d\u7684\u7db2\u9801\u5b58\u6a94<\/figcaption><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2014.png\" alt=\"Figure 14. The source code of the fake page\"\/><figcaption>\u5716 14. \u5047\u7db2\u9801\u4ee3\u78bc<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6aa2\u8996\u5176\u4e3b\u9801\uff0c\u6211\u5011\u767c\u73fe\u4e8c\u7d1a\u7db2\u57dfjxhwst.top\u5c6c\u65bc\u4e2d\u570b\u5317\u65b9\u7684\u4e00\u5bb6\u8fb2\u696d\u516c\u53f8\u3002\u9664\u4e86\u5b50\u7db2\u57df<em>rjxz.jxhwst.top<\/em>\u5916\uff0c\u9019\u500b\u4e8c\u7d1a\u7db2\u57df\u9084\u670944\u500b\u5176\u4ed6\u5b50\u7db2\u57df\uff0c\u5e7e\u4e4e\u90fd\u7528\u65bc\u8207\u8fb2\u696d\u516c\u53f8\u7121\u95dc\u7684\u5ee3\u544a\uff08\u5716 15\uff09\u3002\u516c\u53f8\u53ef\u80fd\u5c07\u9019\u4e9b\u5b50\u7db2\u57df\u51fa\u79df\u7d66\u5176\u4ed6\u4eba\u4f5c\u70ba\u5ee3\u544a\u7528\u9014\uff0c\u4f46\u7121\u6cd5\u9632\u6b62\u5b83\u5011\u88ab\u7528\u65bc\u975e\u6cd5\u76ee\u7684\u3002\u5982\u679c\u662f\u9019\u6a23\uff0c\u99ed\u5ba2\u6703\u79df\u7528\u5b50\u7db2\u57df\u4f86\u6563\u64ad\u60e1\u610f\u8edf\u9ad4\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/marvel-b1-cdn.bc0a.com\/f00000000017219\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app\/TrojanSpy.Python.ZURU.A%20-%20Figure%2015.png\" alt=\"Figure 15. The subdomains of the agriculture company\"\/><figcaption>\u5716 15. \u8fb2\u696d\u516c\u53f8\u7684\u5b50\u7db2\u57df<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u5b89\u5168\u5efa\u8b70<\/strong><\/p>\n\n\n\n<ul><li>\u70ba\u4e86\u4fdd\u8b77\u7cfb\u7d71\u62b5\u79a6\u6b64\u985e\u5a01\u8105\uff0c\u4f7f\u7528\u8005\u61c9\u8a72\u53ea\u5f9e\u5b98\u65b9\u6216\u5408\u6cd5\u61c9\u7528\u5546\u5e97\u4e0b\u8f09\u61c9\u7528\u7a0b\u5f0f\u3002\u8981\u8b39\u614e\u5c0d\u5f85\u641c\u5c0b\u5f15\u64ce\u7684\u7d50\u679c\uff0c\u8a18\u5f97\u4ed4\u7d30\u6aa2\u67e5\u7db2\u5740\u4ee5\u78ba\u4fdd\u5b83\u5011\u78ba\u5be6\u6307\u5411\u5b98\u65b9\u7db2\u7ad9\u3002Mac\u7528\u6236\u53ef\u4ee5\u8003\u616e\u4f7f\u7528\u591a\u5c64\u6b21\u5b89\u5168\u89e3\u6c7a\u65b9\u6848\uff0c\u5982<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/forHome\/products\/mac.html\">\u8da8\u52e2\u79d1\u6280\u7684PC-cillin for Mac<\/a>\uff0c\u5b83\u63d0\u4f9b\u4e86\u52a0\u5f37\u7684\u53cd\u8a50\u9a19\u4fdd\u8b77\uff0c\u80fd\u5920\u6a19\u793a\u548c\u5c01\u9396\u8a66\u5716\u7aca\u53d6\u500b\u4eba\u8cc7\u6599\u7684\u8a50\u9a19\u7db2\u7ad9\u3002PC-cillin for Mac\u4e5f\u662f<a href=\"https:\/\/t.rend.tw\/?i=ODAzMw\">\u8da8\u52e2\u79d1\u6280PC-cillin<\/a><\/li><\/ul>\n\n\n\n<p>\u7684\u4e00\u90e8\u5206\uff0c\u9019\u662f\u5957\u591a\u5e73\u53f0\u89e3\u6c7a\u65b9\u6848\uff0c\u63d0\u4f9b\u5168\u9762\u4f4d\u5b89\u5168\u9632\u8b77\u548c\u591a\u88dd\u7f6e\u4fdd\u8b77\u4f86\u5c0d\u6297\u7db2\u8def\u5a01\u8105\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u5165\u4fb5\u6307\u6a19 (IOC)<\/strong><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td><strong>\u6a94\u540d<\/strong><\/td><td><strong>SHA-256<\/strong><strong>\u96dc\u6e4a\u503c<\/strong><\/td><td><strong>\u5075\u6e2c\u540d\u7a31<\/strong><\/td><\/tr><tr><td><em>SecureCRT.dmg<\/em><\/td><td>1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>com.microsoft.rdc.macos<\/em><\/td><td>5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259 &nbsp;<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>iTerm.app.zip<\/em><\/td><td>5f59ead37fa836c6329a7ba3edd4afc9a2c5fec61de4e0cdb8e8a41031ae4db0<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>Navicat15_cn.dmg<\/em><\/td><td>6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>Navicat15_cn.dmg<\/em><\/td><td>91541cfc0474d6c06376460759517ae94f36fca74d5ab84cf5c23d98bd33939e<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>SecureCRT.dmg<\/em><\/td><td>ae0510032cd4699ef17de7ed1587918ffcd7ff7c9a77fc45f9d68effe2934132<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>iTerm.dmg<\/em><\/td><td>e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>Microsoft Remote Desktop.dmg<\/em><\/td><td>4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>4aece9a7d73c1588ce9441af1df6856d8e788143cd9e53a2e9cf729e23877343<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>4e8287b61b0269e0d704c6d064cb584c1378e9b950539fea366ee304f695743f<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>8db4f17abc49da9dae124f5bf583d0645510765a6f7256d264c82c2b25becf8b<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>62cae3c971ed01c61454e4c3d9a8439cdcb409a8e1c5641e5c7c4ac7667cb5e5<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>aba7c61d2c16cdae17785a38b070df57aa3009f00686881642be31a589fabe0a<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>af2cb957387b7c4b0c5c9fa24a711988c9e8802e758622b321c9bdc5720120d2<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>e8184e1169373e2d529f23b9842f258dddc1d24c77ced0d12b08959967dfadef<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>libcrypto.2.dylib<\/em><\/td><td>2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef<\/td><td>TrojanSpy.MacOS.ZURU.A<\/td><\/tr><tr><td><em>g.py<\/em><\/td><td>ffb0a802fdf054d4988d68762d9922820bdc3728f0378fcd6c4ed28c06da5cf0<\/td><td>TrojanSpy.Python.ZURU.A<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>MITRE\u653b\u64ca\u6230\u7565\u3001\u6280\u8853\u548c\u6b65\u9a5f\uff08TTP\uff09<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td><strong>\u653b\u64ca\u6230\u7565<\/strong><\/td><td><strong>ID<\/strong><\/td><td><strong>\u540d\u7a31<\/strong><\/td><td><strong>\u4ecb\u7d39<\/strong><\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0001\">\u521d\u59cb\u9032\u5165\uff08Initial Access\uff09<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/002\/\">T1566.002<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/002\/\">\u9b5a\u53c9\u5f0f\u91e3\u9b5a\u9023\u7d50<\/a><\/td><td>\u4f86\u81ea\u641c\u5c0b\u5f15\u64ce\u7d50\u679c\u7684\u91e3\u9b5a\u7db2\u7ad9<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0002\">\u57f7\u884c\uff08Execution\uff09<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/006\/\">T1059.006<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/006\/\">Python<\/a><\/td><td>\u4e0b\u8f09Python\u8173\u672c<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\">T1204.002<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\">\u60e1\u610f\u6a94\u6848<\/a><\/td><td>\u57f7\u884c\u91cd\u65b0\u5c01\u88dd\u7684iTerm2 App\u6703\u555f\u52d5\u60e1\u610f\u8edf\u9ad4dylib libcrypt.2.dylib<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\">\u9632\u79a6\u9003\u812b\uff08Defense Evasion\uff09<\/a><\/td><td>T1140<\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\">\u53bb\u6df7\u6dc6\/\u89e3\u78bc\u6a94\u6848\u6216\u8cc7\u8a0a<\/a><\/td><td>\u60e1\u610f\u8edf\u9ad4dylib\u5167\u7684\u5b57\u4e32\u7d93\u904eAES\u548cBase64\u7de8\u78bc<\/td><\/tr><tr><td>T1036<\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\">\u507d\u88dd (6)<\/a><\/td><td>\u60e1\u610f\u8edf\u9ad4dylib\u52a0\u9032\u91cd\u65b0\u5c01\u88dd\u7684iterm2 App<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0009\">\u6536\u96c6\uff08Collection\uff09<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1560\/002\/\">T1560.002<\/a><\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1560\/002\/\">\u7d93\u7531\u7a0b\u5f0f\u5eab\u58d3\u7e2e<\/a><\/td><td>\u6536\u96c6\u5404\u7a2e\u8cc7\u8a0a\u4e26\u52a0\u9032zip\u58d3\u7e2e\u6a94<\/td><\/tr><tr><td>T1005<\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1005\">\u4f86\u81ea\u672c\u5730\u7cfb\u7d71\u7684\u8cc7\u6599<\/a><\/td><td>\u6536\u96c6\u7cfb\u7d71\u8cc7\u8a0a\u3001bash\u6b77\u53f2\u8a18\u9304\u548c\u767b\u5165\u6191\u8b49\u8cc7\u8a0a<\/td><\/tr><tr><td>T1602<\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1602\">\u4f86\u81ea\u8a2d\u5b9a\u5eab\u7684\u8cc7\u6599 (2)<\/a><\/td><td>\u6536\u96c6\/Library\/Application Support\/VanDyke\/SecureCRT\/Config \u7684\u5167\u5bb9<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0010\">\u8cc7\u6599\u6ef2\u51fa\uff08Exflitration\uff09<\/a><\/td><td>T1041<\/td><td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1041\">\u900f\u904eC2\u7ba1\u9053\u6ef2\u51fa<\/a><\/td><td>\u6a94\u6848\u88ab\u5916\u6d29\u5230hxxp:\/\/47[.]75[.]123[.]111\/u.php<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><br>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/mac-users-targeted-by-trojanized-iterm2-app.html\">Mac Users Targeted by Trojanized iTerm2 App<\/a> \u4f5c\u8005\uff1aSteven Du, Luis Magisa<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<div style=\"padding:20px\" class=\"wp-block-tnp-minimal\"><p>\u8a02\u95b1\u8cc7\u5b89\u8da8\u52e2\u96fb\u5b50\u5831,\u6bcf\u65e5\u638c\u63e1\u8cc7\u5b89\u8da8\u52e2<\/p><div><div class=\"tnp tnp-subscription-minimal  \"><form action=\"https:\/\/blog.trendmicro.com.tw\/wp-admin\/admin-ajax.php?action=tnp&amp;na=s\" method=\"post\" style=\"text-align: center\"><input type=\"hidden\" name=\"nr\" value=\"minimal\">\n<input type=\"hidden\" name=\"nlang\" value=\"\">\n<input class=\"tnp-email\" type=\"email\" required name=\"ne\" value=\"\" placeholder=\"Email\"><input class=\"tnp-submit\" type=\"submit\" value=\"\u8a02\u95b1\" style=\"\">\n<\/form><\/div>\n<\/div><\/div>\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\" https:\/\/t.rend.tw\/?i=MTA5NzI\n\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/Windows10Banner-540x90v5.gif\" alt=\"\"\/><\/a><figcaption>  PC-cillin \u5b8c\u6574\u9632\u8a50\u653b\u7565\uff1a\u4fdd\u8b77\u8cc7\u6599\/\u5075\u6e2c\u5a01\u8105\/\u9632\u7bc4\u4fb5\u5165\uff0c\u8b58\u7834\u5404\u7a2e\u8a50\u9a19\u624b\u6cd5\uff0c\u5168\u9762\u9632\u8b77\u66f4\u5b89\u5fc3\u3002 \u4e0d\u53ea\u9632\u6bd2\uff0c\u66f4\u9632\u8a50\u9a19\uff01 \u4e0d\u53ea\u9632\u6bd2\u4e5f\u9632\u8a50\u9a19 \u2713\u624b\u6a5f\u2713\u96fb\u8166\u2713\u5e73\u677f\uff0c\u8de8\u5e73\u53f0\u9632\u8b77\uff13\u5230\u4f4d\u2794<a href= https:\/\/t.rend.tw\/?i=MTA5NzI\n> \u300b\u5373\u523b\u514d\u8cbb\u4e0b\u8f09\u8a66\u7528 <\/a><\/figcaption><\/figure>\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<a href=\"https:\/\/t.rend.tw\/?i=ODI3Mg\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2019\/10\/FB.png\" alt=\"FB\" \/><\/a>\n\n<a href=\"https:\/\/t.rend.tw\/?i=ODI3Mw\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2019\/10\/ig_icon_O.png\" alt=\"IG\" \/><\/a>\n\n<a href=\"https:\/\/t.rend.tw\/?i=ODI3NA\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2019\/10\/youtube.png\" alt=\"Youtube\" \/><\/a>\n\n <a href=\"https:\/\/t.rend.tw\/?i=ODI3NA\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2019\/10\/Line.png\" alt=\"LINE\" \/><\/a>\n\n <a href=\"https:\/\/t.rend.tw\/?i=ODI3Ng\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2019\/10\/%E5%AE%98%E7%B6%B2.png\" alt=\"\u5b98\u7db2\" \/><\/a>\n\n <div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u6b3e\u507d\u88dd iTerm2 App\u7684\u61c9\u7528\u7a0b\u5f0f\u6703\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u8edf\u9ad4\uff0c\u4e26\u5f9e\u53d7\u5bb3\u8005\u96fb\u8166\u88e1\u6536\u96c6\u500b\u4eba\u8cc7\u6599\u3002 \u5728\u4e5d\u6708\u521d\uff0c\u4e2d\u570b\u554f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[3942,3943,378,398,4618],"tags":[4937,2445,246,2149],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/69927"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=69927"}],"version-history":[{"count":13,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/69927\/revisions"}],"predecessor-version":[{"id":70130,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/69927\/revisions\/70130"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=69927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=69927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=69927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}