The latest reports indicate that hackers have managed to steal crypto from crypto traders using new trojan targeting trading applications on Apple’s macOS. This attack used malware known as GMERA.
The ESET internet security company found that the malware comes well-integrated into legitimate-looking crypto trading applications. The malware tries to steal the users’ crypto funds from their wallets.
Several researchers at Trend Micro cybersecurity firm initially discovered GMERA malware in September 2019. At that time, the malware was posing as the Mac-specific stock investment application Stockfolio.
Regenerating The Real Apps
ESET also discovered that the malware operators have meticulously integrated GMERA to the original macOS crypto trading application Kattana. Additionally, they have copied the sire of the company and are now promoting at least four new copycat applications namely Cointrazer, Cupatrade, Licatrade, and Trezarus. These copycat apps come packed with malware.
The fake sites have a download button that is integrated into a ZIP archive that has the trojanized version of the app. Based on the report by ESET, all these applications have full support for all trading functionalities. The researchers wrote:
“For a person who doesn’t know Kattana, the websites do look legitimate.”
According to the discovery by the researchers, the perpetrators have been directly and repeatedly contacting their targets. Moreover, they have been “socially engineering them” to download the infected application.
The Malware Overview
ESET researchers tested multiple samples from Licatrade to analyze this malware. They said that it has a few differences compared to the malware found on the other applications. However, it still functions similarly.
The trojan installs a shell script on the targeted computer which gives the attacker access to the user’s system via the application. This shell script then enables the attackers to create several command-and-control servers, also called C&C or C2, over HTTP which operate between theirs and the victim’s system.
Notably, these C2 servers help criminals to communicate with the compromised machine continuously. Based on the findings, the GMERA malware then steals information like crypto wallets; user names, location, and screen capture from the users’ system.
Nonetheless, ESER said that they had reported that matter to Apple, and the certificate issued by the macOS manufacturer to Licatrade was revoked within the same day. Additionally, they said that the other two certificates used for different apps; were also revoked by the time that they tried to initiate their analyses.