Reports have emerged that crypto scammers have now managed to steal considerable amounts of cryptocurrency funds from crypto traders. The cybercriminals are using a new trojan that targets trading applications on Apple’s macOS. Studies show that the attack utilized a malware known as GMERA.

An extensive study by the ESET internet security company discovered that this malware is precisely integrated into legitimate-looking crypto trading applications. Once it installs in the user’s device, the malware attempts to steal crypto funds from their wallets.

Antivirus found trojan malware thread

In that context, a group of researchers at Trend Micro cybersecurity firm originally discovered the GMERA malware in September 2019. When they discovered it, the malware was posing perfectly as the Mac-specific stock investment application Stockfolio.

The researchers found two variants of the malware family that crypto scammers and other criminals use. The first one has a pair of shell scripts and it can connect to a remote site to decrypt its encrypted codes. On the other hand, the second sample despite utilizing a simpler routine comprising of a single shell script, it incorporates a persistence mechanism.

The Two Malware Versions

Trojan.MacOS.GMERA.A was flagged by a machine learning system. It was highly challenging to readily identify its malicious behavior since the shell script references other files including AppCode, .pass, and .app. To prove that the behavior was malicious, the researchers sourced the parent file using their infrastructure and the aggregate website VirusTotal. The result discovered the malicious trojan well hidden in genuine-looking files.

Businessman With Laptop Screen Showing Trojan Text

Trojan.macOS.GMERA.B was discovered from the digital certificate of the first sample. It was uploaded to VirusTotal in June 2019. Just like in the first variant, the trojan had an embedded copy of Stockfolio.app version 1.4.13 with the malware author’s digital certificate. It similarly launches the app whenever it is executed to hide its malicious intent.

After it is opened, Trojan.macOS.GMERA.B executes the embedded copy of Stockfolio version 1.4.13 and then launches the shell script run.sh. The script then collects IP addresses and usernames from the infected machines and devices and infects them significantly.

Kattana Application Targeted

ESET also noted that the malware operators integrate the GMERA versions to the original macOS Kattana crypto trading platform. Also, they have meticulously copied the site of the firm and the crypto scammers are now promoting up to four new copycat applications; Cupatrade, Licatrade, Cointrazer, and Trezarus.

Malware and Secure Data Concept.Abstract Technology and Security with Binary code Background

The fake apps come packed with malware and their sites have a download icon integrated into a ZIP archive that contains the trojanized version of the application. Based on the ESET report, all these apps come with full support for all the trading functionalities. This report reads:

“For a person who doesn’t know Kattana, the websites do look legitimate.”

The crypto scammers have been contacting their victims directly and repeatedly, according to the researchers. Additionally, they have been continuously “socially engineering them” to download the infected app.

Trojan Overview

ESET researchers also tested several samples from Licatrade aiming to analyze and understand the malware. Based on their findings, it has a few differences compared to the malware that was discovered on the other applications. Nonetheless, it still functions similarly.

The crypto scammers use the trojan to install a shell script on the targeted device giving the criminal significant access to the user’s system through the application. Then, the shell script lets the attacker create multiple command-and-control servers which are also known as C2 or C&C over HTTP. It operates between their devices and the victim’s systems.

Hacker - Cyber Kriminalität

Interestingly, the C2 servers enable criminals to communicate with the targeted machine constantly. Based on the findings, the GMERA malware steals a variety of information including the victim’s location, crypto wallets, screen capture, and user names.

But, ESET said that they had reported the matter to Apple. In that connection, the certificate issued by Apple to Licatrade was revoked within a few hours. Moreover, the other two certificates that were used for various apps were also revoked by the time they tried to issue attacks.

About the author

Wanguba Muriuki is an Editor at Large for E-Crypto News and author of the book- "The Exploitative Intrigues of Cryptocurrency Scams Explained." He is also a passionate creator who sees every aspect of life from a written perspective. He loves Blockchain, Cryptocurrency, Technology, and Traveling. He is a widely experienced creative and technical writer. Everything and everyone is describable. The best description is written.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Cryptosoft
Cryptosoft Trading Bot Review
June 27, 2022
The Largest Crypto Scams Of 2022 (So Far)
The Largest Crypto Scams Of 2022 (So Far)
June 14, 2022
Scammers
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Prove
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Is The Crypto Market Combating A Lehman Brothers Moment?
Is The Crypto Market Combating A Lehman Brothers Moment?
June 30, 2022
Russia
Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
GamStop
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin19,087 0.04 % 0.72 % 11.33 %
Ethereum1,053.1 0.18 % 0.25 % 15.37 %
Tether1.000 0.10 % 0.22 % 0.02 %
USD Coin1.002 0.08 % 0.03 % 0.13 %
BNB215.25 0.09 % 0.43 % 10.28 %
Binance USD1.002 0.13 % 0.15 % 0.02 %
Cardano0.4488 0.06 % 0.00 % 9.93 %
XRP0.3132 0.15 % 0.15 % 14.74 %
Solana32.42 0.18 % 1.19 % 23.52 %
Dogecoin0.06558 0.26 % 1.88 % 4.36 %

bitcoin
Bitcoin (BTC) $ 19,080.94
ethereum
Ethereum (ETH) $ 1,051.78
tether
Tether (USDT) $ 1.00
usd-coin
USD Coin (USDC) $ 1.00
bnb
BNB (BNB) $ 215.49
binance-usd
Binance USD (BUSD) $ 1.00
cardano
Cardano (ADA) $ 0.447852
xrp
XRP (XRP) $ 0.312813
solana
Solana (SOL) $ 32.45
dogecoin
Dogecoin (DOGE) $ 0.065602