The following SHA-256 file hashes belong to known OSX/ZuRu files associated with this malware campaign. The developer name and Team ID of the revoked dev account is: Jun Bi (AQPZ6F3ASY)
Indicators of compromise (IoCs)įollowing are some specific ways to identify whether a Mac may have been infected by OSX/ZuRu.Īpple has since revoked the Developer ID that was used for signing this malware. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple. Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. Intego recently earned a 100% detection rating for Mac malware in two independent tests conducted by AV-Comparatives and AV-TEST. If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer that includes real-time scanning, such as Intego VirusBarrier X9-which also protects Macs from M1-native malware, cross-platform malware, and more. VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple’s mitigation methods. Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate OSX/ZuRu malware. Related: Do Macs need antivirus software? Given that Apple’s threat mitigation features such as notarization, Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple’s own macOS protection methods are insufficient by themselves. How can one remove or prevent OSX/ZuRu and other threats? The malware then attempts to exfiltrate a zip archive of this data to the server from which the Python script was downloaded.Īn outbound firewall, such as Intego NetBarrier X9, can block malware from exfiltrating data from your Mac.
Many of these files could contain highly sensitive information such as passwords and private keys.