A new Trojan attack with malware called GMERA targets cryptocurrency traders using Apple’s MacOS trading apps.
Internet security company ESET has determined this The malware is embedded in legitimate looking cryptocurrency trading applications and tries to steal cryptocurrency funds from users’ wallets.
Researchers at another cyber security company, Trend Micro, first discovered GMERA malware in September 2019 when it pretended to be a pure Mac stock investment app, Stockfolio.
Copy the applications
ESET found that malware operators integrated GMERA into the original MacOS cryptocurrency trading application, Kattana. They have also copied the company’s website and are promoting four new copycat applications: Cointrazer, Cupatrade, Licatrade and Trezarus, which contain the malware.
Fake websites have a download button linked to a zip file that contains the version that contains the trojan in the app. According to ESET, these applications offer full support for trading functions.
“For someone who doesn’t know Kattana, the websites seem legitimate.” The researchers wrote.
Investigators also said those responsible contacted their victims directly and deceived them with “social engineering” to download the infected application.
Malware, in summary
To analyze the malware, ESET researchers used examples of Licatrade that they said are little different from malware in other applications, but work the same way.
The Trojan installs a shell script on the victim’s computer that allows operators to access the user’s system through the application.. The shell script enables attackers to create command and control servers, also called CC or C2, over HTTP between the victim’s and the victim’s system. These C2 servers systematically help you communicate with the compromised computer.
According to the results, the GMERA malware steals information such as user names, cryptocurrency wallets, location and user system screenshots.
However, ESET claimed to have reported the problem to Apple and the certificate issued to Licatrade by the company was revoked the same day. They also added that the other two certificates that were used for different applications had been revoked at the start of their analysis.