{"id":10501,"date":"2025-07-15T12:38:19","date_gmt":"2025-07-15T05:38:19","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10501"},"modified":"2026-02-05T12:38:28","modified_gmt":"2026-02-05T05:38:28","slug":"bay-trojan-giang-san-tren-macos-chien-dich-ma-doc-va-danh-cap-he-thong-tu-ben-trong","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/15\/bay-trojan-giang-san-tren-macos-chien-dich-ma-doc-va-danh-cap-he-thong-tu-ben-trong\/","title":{"rendered":"“B\u1eaby trojan” gi\u0103ng s\u1eb5n tr\u00ean macOS: Chi\u1ebfn d\u1ecbch m\u00e3 \u0111\u1ed9c v\u00e0 \u0111\u00e1nh c\u1eafp h\u1ec7 th\u1ed1ng t\u1eeb b\u00ean trong"},"content":{"rendered":"

C\u00e1c chuy\u00ean gia b\u1ea3o m\u1eadt v\u1eeba c\u1ea3nh b\u00e1o: Hacker \u0111ang l\u1ee3i d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 Mac h\u1ee3p ph\u00e1p \u0111\u1ec3 ph\u00e1t t\u00e1n trojan nguy hi\u1ec3m macOS.ZuRu, ng\u1ee5y trang trong nh\u1eefng \u1ee9ng d\u1ee5ng ph\u1ed5 bi\u1ebfn \u0111\u01b0\u1ee3c t\u1ea3i v\u1ec1 nh\u1eb1m l\u1eeba ng\u01b0\u1eddi d\u00f9ng c\u00e0i \u0111\u1eb7t ph\u1ea7n m\u1ec1m nhi\u1ec5m m\u00e3 \u0111\u1ed9c.<\/b><\/p>\n

\n
\"1752547459416.png\"<\/div>\n

\u200b<\/p><\/div>\n

Trojan ng\u1ee5y trang trong \u1ee9ng d\u1ee5ng SSH n\u1ed5i ti\u1ebfng: Termius\u200b<\/h2>\n

Trong chi\u1ebfn d\u1ecbch g\u1ea7n \u0111\u00e2y, nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u00e3 ch\u00e8n trojan ZuRu v\u00e0o b\u1ed9 c\u00e0i c\u1ee7a Termius, m\u1ed9t \u1ee9ng d\u1ee5ng SSH \u0111a n\u1ec1n t\u1ea3ng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng ph\u1ed5 bi\u1ebfn \u0111\u1ec3 qu\u1ea3n l\u00fd m\u00e1y ch\u1ee7 t\u1eeb xa.<\/p>\n

Trojan macOS.ZuRu sau khi \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t s\u1ebd ho\u1ea1t \u0111\u1ed9ng ng\u1ea7m, duy tr\u00ec quy\u1ec1n truy c\u1eadp tr\u00e1i ph\u00e9p, \u0111\u1ed3ng th\u1eddi c\u00f3 th\u1ec3 t\u1ea3i v\u1ec1 th\u00eam th\u00e0nh ph\u1ea7n \u0111\u1ed9c h\u1ea1i v\u00e0 th\u1ef1c thi l\u1ec7nh t\u1eeb xa t\u1eeb m\u00e1y ch\u1ee7 c\u1ee7a hacker.<\/p>\n

\u0110\u01b0\u1ee3c ph\u00e1t hi\u1ec7n l\u1ea7n \u0111\u1ea7u \u1edf Trung Qu\u1ed1c v\u00e0o th\u00e1ng 7\/2021 th\u00f4ng qua k\u1ebft qu\u1ea3 t\u00ecm ki\u1ebfm Baidu, trojan n\u00e0y t\u1eebng \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 l\u00e2y nhi\u1ec5m c\u00e1c c\u00f4ng c\u1ee5 ph\u1ed5 bi\u1ebfn d\u00e0nh cho nh\u00e0 ph\u00e1t tri\u1ec3n macOS nh\u01b0 SecureCRT, Navicat v\u00e0 Microsoft Remote Desktop for Mac.<\/p>\n

Bi\u1ebfn th\u1ec3 m\u1edbi tinh vi h\u01a1n v\u00e0 \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng hi\u1ec7u qu\u1ea3\u200b<\/h2>\n

T\u1eeb n\u0103m ngo\u00e1i, c\u00e1c \u1ee9ng d\u1ee5ng l\u1eadu \u0111\u00e3 b\u1eaft \u0111\u1ea7u ch\u1ee9a bi\u1ebfn th\u1ec3 ZuRu m\u1edbi v\u1edbi kh\u1ea3 n\u0103ng \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa m\u1ea1nh h\u01a1n v\u00e0 v\u01b0\u1ee3t qua c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 truy\u1ec1n th\u1ed1ng c\u1ee7a macOS.<\/p>\n

Bi\u1ebfn th\u1ec3 m\u1edbi nh\u1ea5t c\u1ee7a macOS.ZuRu ti\u1ebfp t\u1ee5c xu h\u01b0\u1edbng gi\u1ea3 m\u1ea1o c\u00e1c \u1ee9ng d\u1ee5ng macOS h\u1ee3p ph\u00e1p, \u0111\u1eb7c bi\u1ec7t l\u00e0 nh\u1eefng c\u00f4ng c\u1ee5 ph\u1ed5 bi\u1ebfn trong c\u1ed9ng \u0111\u1ed3ng l\u1eadp tr\u00ecnh vi\u00ean v\u00e0 chuy\u00ean vi\u00ean IT. Nh\u00f3m t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt thay th\u1ebf ch\u1eef k\u00fd m\u00e3 s\u1ed1 (code signature) g\u1ed1c c\u1ee7a nh\u00e0 ph\u00e1t tri\u1ec3n b\u1eb1ng ch\u1eef k\u00fd t\u1ea1m th\u1eddi do ch\u00fang t\u1ea1o ra, nh\u1eb1m qua m\u1eb7t h\u1ec7 th\u1ed1ng x\u00e1c th\u1ef1c c\u1ee7a Apple v\u00e0 c\u00e0i m\u00e3 \u0111\u1ed9c v\u00e0o \u1ee9ng d\u1ee5ng m\u00e0 ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng h\u1ec1 hay bi\u1ebft.<\/p>\n

Chi\u1ebfn d\u1ecbch nh\u1eafm v\u00e0o h\u1ec7 th\u1ed1ng kh\u00f4ng c\u00f3 gi\u1ea3i ph\u00e1p b\u1ea3o v\u1ec7 \u0111\u1ea7u cu\u1ed1i, t\u1eadp trung v\u00e0o ng\u01b0\u1eddi d\u00f9ng macOS m\u1edbi nh\u1ea5t\u200b<\/h3>\n

Theo ph\u00e2n t\u00edch c\u1ee7a c\u00e1c chuy\u00ean gia, chi\u1ebfn d\u1ecbch ph\u00e1t t\u00e1n trojan macOS.ZuRu ch\u1ee7 y\u1ebfu nh\u1eafm \u0111\u1ebfn c\u00e1c h\u1ec7 th\u1ed1ng macOS kh\u00f4ng \u0111\u01b0\u1ee3c trang b\u1ecb \u0111\u1ea7y \u0111\u1ee7 c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o v\u1ec7 endpoint (endpoint protection). M\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c ph\u00e2n ph\u1ed1i th\u00f4ng qua file c\u00e0i \u0111\u1eb7t d\u1ea1ng .dmg, ch\u1ee9a phi\u00ean b\u1ea3n \u0111\u00e3 b\u1ecb trojan h\u00f3a c\u1ee7a \u1ee9ng d\u1ee5ng h\u1ee3p ph\u00e1p Termius.app, c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd m\u00e1y ch\u1ee7 SSH ph\u1ed5 bi\u1ebfn.<\/p>\n

So v\u1edbi b\u1ea3n ch\u00ednh h\u00e3ng (~225MB), b\u1ea3n trojan h\u00f3a c\u00f3 dung l\u01b0\u1ee3ng l\u1edbn h\u01a1n (~248MB) do \u0111\u01b0\u1ee3c nh\u00fang th\u00eam payload \u0111\u1ed9c h\u1ea1i. Sau khi ng\u01b0\u1eddi d\u00f9ng ch\u1ea1y file .dmg, trojan t\u1ef1 \u0111\u1ed9ng k\u00edch ho\u1ea1t tr\u00ecnh loader \u0111\u1ed3ng th\u1eddi v\u1edbi \u1ee9ng d\u1ee5ng Termius g\u1ed1c, nh\u1eb1m duy tr\u00ec t\u00ednh \u1ea9n m\u00ecnh v\u00e0 tr\u00e1nh b\u1ecb nghi ng\u1edd t\u1eeb ph\u00eda n\u1ea1n nh\u00e2n.<\/p>\n

Bi\u1ebfn th\u1ec3 m\u1edbi c\u1ee7a ZuRu \u0111\u1eb7c bi\u1ec7t t\u01b0\u01a1ng th\u00edch v\u1edbi c\u00e1c h\u1ec7 th\u1ed1ng macOS hi\u1ec7n \u0111\u1ea1i, y\u00eau c\u1ea7u phi\u00ean b\u1ea3n Sonoma 14.1 (ph\u00e1t h\u00e0nh th\u00e1ng 10\/2023) tr\u1edf l\u00ean \u0111\u1ec3 th\u1ef1c thi. Sau khi thi\u1ebft l\u1eadp th\u00e0nh c\u00f4ng, malware c\u00f3 kh\u1ea3 n\u0103ng duy tr\u00ec k\u1ebft n\u1ed1i C2 (command-and-control) \u1ed5n \u0111\u1ecbnh, v\u00e0 th\u1ef1c hi\u1ec7n nhi\u1ec1u h\u00e0nh vi x\u00e2m nh\u1eadp nh\u01b0:<\/p>\n