Reports have emerged that crypto scammers have now managed to steal considerable amounts of cryptocurrency funds from crypto traders. The cybercriminals are using a new trojan that targets trading applications on Apple’s macOS. Studies show that the attack utilized a malware known as GMERA.
An extensive study by the ESET internet security company discovered that this malware is precisely integrated into legitimate-looking crypto trading applications. Once it installs in the user’s device, the malware attempts to steal crypto funds from their wallets.
In that context, a group of researchers at Trend Micro cybersecurity firm originally discovered the GMERA malware in September 2019. When they discovered it, the malware was posing perfectly as the Mac-specific stock investment application Stockfolio.
The researchers found two variants of the malware family that crypto scammers and other criminals use. The first one has a pair of shell scripts and it can connect to a remote site to decrypt its encrypted codes. On the other hand, the second sample despite utilizing a simpler routine comprising of a single shell script, it incorporates a persistence mechanism.
The Two Malware Versions
Trojan.MacOS.GMERA.A was flagged by a machine learning system. It was highly challenging to readily identify its malicious behavior since the shell script references other files including AppCode, .pass, and .app. To prove that the behavior was malicious, the researchers sourced the parent file using their infrastructure and the aggregate website VirusTotal. The result discovered the malicious trojan well hidden in genuine-looking files.
Trojan.macOS.GMERA.B was discovered from the digital certificate of the first sample. It was uploaded to VirusTotal in June 2019. Just like in the first variant, the trojan had an embedded copy of Stockfolio.app version 1.4.13 with the malware author’s digital certificate. It similarly launches the app whenever it is executed to hide its malicious intent.
After it is opened, Trojan.macOS.GMERA.B executes the embedded copy of Stockfolio version 1.4.13 and then launches the shell script run.sh. The script then collects IP addresses and usernames from the infected machines and devices and infects them significantly.
Kattana Application Targeted
ESET also noted that the malware operators integrate the GMERA versions to the original macOS Kattana crypto trading platform. Also, they have meticulously copied the site of the firm and the crypto scammers are now promoting up to four new copycat applications; Cupatrade, Licatrade, Cointrazer, and Trezarus.
The fake apps come packed with malware and their sites have a download icon integrated into a ZIP archive that contains the trojanized version of the application. Based on the ESET report, all these apps come with full support for all the trading functionalities. This report reads:
“For a person who doesn’t know Kattana, the websites do look legitimate.”
The crypto scammers have been contacting their victims directly and repeatedly, according to the researchers. Additionally, they have been continuously “socially engineering them” to download the infected app.
ESET researchers also tested several samples from Licatrade aiming to analyze and understand the malware. Based on their findings, it has a few differences compared to the malware that was discovered on the other applications. Nonetheless, it still functions similarly.
The crypto scammers use the trojan to install a shell script on the targeted device giving the criminal significant access to the user’s system through the application. Then, the shell script lets the attacker create multiple command-and-control servers which are also known as C2 or C&C over HTTP. It operates between their devices and the victim’s systems.
Interestingly, the C2 servers enable criminals to communicate with the targeted machine constantly. Based on the findings, the GMERA malware steals a variety of information including the victim’s location, crypto wallets, screen capture, and user names.
But, ESET said that they had reported the matter to Apple. In that connection, the certificate issued by Apple to Licatrade was revoked within a few hours. Moreover, the other two certificates that were used for various apps were also revoked by the time they tried to issue attacks.