The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. The main purpose seems to be to connect to 11, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them. When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things. The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added: iTerm.app/Contents/Frameworks/libcrypto.2.dylib It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files. Further, for an app with a very professionally designed website, the disk image file is quite unpolished.
The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag. The malware comes in a disk image that contains a link to the Applications folder with a Chinese name
