Zuru

Zuru is a recently discovered malware that exhibits striking similarities to the ZuRu malware, which has been active since at least 2021. The researchers initially found Zuru in an executable named .fseventsd during threat alert triage. This malware shares several characteristics with its predecessor, including targeted applications, modified load commands, and attacker infrastructure, leading experts to suggest that it might be a successor to the ZuRu malware. Much like ZuRu, Zuru can compromise machines by downloading and executing multiple payloads in the background. The ZuRu malware was notorious for its data-stealing capabilities and primarily targeted macOS systems. It propagated through sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems. Similarly, Zuru seems to operate along the same lines, albeit with some modifications. However, the final malware being dropped by Zuru is significantly different from the original ZuRu, making it challenging to establish a direct relation between the two. ZuRu was originally found in pirated applications such as iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop Client. When users opened these infected applications, they were presented with a functional app. Simultaneously, a dylib containing malicious logic would execute a Python script in the background to steal sensitive files and upload them to an attacker server. While the exact mode of operation of Zuru is still under investigation, it is evident that it poses a similar threat to system security.