Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mac Malware Poses as Trading App

A Mac Trojan focused on stealing users’ information was found masquerading as a legitimate trading application, Trend Micro’s security researchers report.

A Mac Trojan focused on stealing users’ information was found masquerading as a legitimate trading application, Trend Micro’s security researchers report.

Detected by Trend Micro products as Trojan.MacOS.GMERA, the software poses as the Mac-based trading app Stockfolio, but contains shell scripts that allow it to perform malicious activities. To date, two malware samples were discovered, revealing an evolution of the threat.

The first sample is a ZIP archive file containing an app bundle (Stockfoli.app) and a hidden encrypted file (.app). A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive.

When executed, the threat displays a trading app interface on the screen, but it also executes bundled shell scripts in the Resources directory, the researchers discovered.

The first of the scripts is in charge of collecting a broad range of information on the infected system, including username, IP address, apps in /Applications, files in ~/Documents, files in ~/Desktop, OS installation date, file system disk space usage, graphics/display information, wireless network information, and screenshots.

The collected data is encoded and saved in a hidden file, then sent to the attackers’ server. If a response is received from the server, it would be written to another hidden file.

The second script executed by the malware is in charge of copying additional files, as well as with decoding and deleting some others. It also checks for the hidden file containing the server response and uses its content to decrypt a file that Trend Micro suspects contains additional malicious routines.

Also using a copy of Stockfolio version 1.4.13 to hide its malicious intent, the second sample contains a much simpler routine. It would execute a single script meant to collect usernames and IP addresses from the infected machine and send the information to the attackers’ server.

Advertisement. Scroll to continue reading.

It also drops several files and creates a simple reverse shell (on ports 25733-25736) to the command and control (C&C) server, allowing hackers to execute shell commands on the infected host. The sample also includes a persistence mechanism, via the creation of a property list (plist) file that creates the reverse shell code every 10,000 seconds.

“Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future,” Trend Micro concludes.

Related: Repurposing Mac Malware Not Difficult, Researcher Shows

Related: Mac Malware Delivered via Firefox Exploits Analyzed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.