Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. The malware was discovered earlier the same day by security researcher Zhi (@CodeColorist on Twitter), and detailed on a Chinese-language blog. (For those who don’t speak Chinese, Safari seems to do a fair job of translating it.)
iTerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. It is frequently used by power users. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware. This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc.