Connect with us

Hi, what are you looking for?



More Fake Cryptocurrency Apps Deliver GMERA Malware to Mac Users

Security researchers at ESET have identified a new campaign targeting Mac users with trojanized cryptocurrency trading apps designed to deliver the GMERA malware.

Security researchers at ESET have identified a new campaign targeting Mac users with trojanized cryptocurrency trading apps designed to deliver the GMERA malware.

Previous attacks involving this malware family were observed leveraging malicious versions of the trading app Stockfolio, and security researchers also associated the GMERA Trojan with the activities of North Korean hackers.

Recently identified campaigns featuring the malware involved the use of several websites that distributed malicious applications claiming to provide cryptocurrency trading capabilities.

The cybercriminals built their malicious programs using the Kattana trading application, using it to package their malware. Four different brandings were used in the observed campaigns, namely Cointrazer, Cupatrade, Licatrade and Trezarus.

The GMERA Trojan was designed to steal various types of information from the compromised machines, including browser cookies, cryptocurrency wallets, and even screenshots.

More recent versions of macOS, however, limit the attackers’ ability to take screenshots by requiring the user’s explicit consent to finalize the action. Regardless, the hackers haven’t tried to circumvent that limitation, ESET notes.

What is yet uncertain is how exactly the attackers are promoting their malicious applications. Most likely the hackers are using social engineering to trick users into installing the malware. In March, Kattana issued an alert on hackers contacting victims individually to lure them into downloading the trojanized apps.

“Copycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know Kattana, the websites do look legitimate,” ESET notes.

Advertisement. Scroll to continue reading.

The cybercriminals also used digital certificates to sign their applications, and it appears that they acquired the certificates specifically for these attacks. Apple has already removed the offending certificates.

GMERA uses reverse shell backdoors to allow interaction with the operators. The malware uses HTTP for communication with the command and control (C&C) server, but no commands were seen being issued via this channel, as all of them were being served through the reverse shells.

The attackers only proceed to exfiltrate data from systems that are considered of interest. Files selected for exfiltration are compressed in a ZIP archive and sent to a server controlled by the attackers via HTTP.

“The numerous campaigns run by this group show how much effort they’ve expended over the last year to compromise Mac users doing online trading. We still aren’t sure how someone becomes a victim, downloading one of the trojanized applications, but the hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” ESET concludes.

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: Mac Malware Poses as Trading App

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...