New Trojan attack targets Mac users to steal crypto currencies

A new Trojan attack using a malware called GMERA targets crypto traders using Apple MacOS trading applications.

Internet security company ESET discovered that the malware is embedded in legitimate-looking crypto currency trading applications and attempts to steal crypto currency funds from users‘ wallets.

Researchers at another Bitcoin Rush company, Trend Micro, first discovered the GMERA malware in September 2019, when it was masquerading as a Mac-only stock trading application, Stockfolio.

The most malicious ramsomware attacks require payments in crypto currencies

Copying the applications
ESET found that malware operators have incorporated GMERA into the original macOS cryptos trading application, Kattana. They have also copied the company’s website and are promoting four new ‚copycat‘ applications: Cointrazer, Cupatrade, Licatrade and Trezarus, which have the malware included.

The fake websites have a download button that is linked to a ZIP file containing the version that includes the Trojan in the application. According to ESET, these applications have full support for trading functionalities.

A group of hackers took advantage of SQL Server vulnerabilities to mine crypto currencies

„To a person who does not know Kattana, the websites seem legitimate,“ the researchers wrote.

The researchers also said that those responsible had been contacting their victims directly and tricking them through „social engineering“ to download the infected application.

The malware, in brief
To analyze the malware, ESET researchers used samples of Licatrade, which, they said, has small differences compared to malware in other applications, but works the same way.

Hackers increasingly rely on Trojans to implement ransomware attacks
The Trojan installs a shell script on the victim’s computer that provides operators with access to the users‘ system through the application. The shell script then allows attackers to create command and control servers, also called C&C or C2, over HTTP, between the victim’s system and theirs. These C2 servers systematically help them communicate with the compromised machine.

According to the findings, the GMERA malware steals information such as: user names, crypto wallets, location and screenshots of the users‘ system.

However, ESET said they have reported the problem to Apple, and the certificate issued by the company to Licatrade was revoked the same day. In addition, they added that the other two certificates used for different applications had already been revoked by the time they started their analysis.