More Fake Cryptocurrency Apps Deliver GMERA Malware to Mac Users

Security researchers at ESET have identified a new campaign targeting Mac users with trojanized cryptocurrency trading apps designed to deliver the GMERA malware.

Previous attacks involving this malware family were observed leveraging malicious versions of the trading app Stockfolio, and security researchers also associated the GMERA Trojan with the activities of North Korean hackers.

Recently identified campaigns featuring the malware involved the use of several websites that distributed malicious applications claiming to provide cryptocurrency trading capabilities.

The cybercriminals built their malicious programs using the Kattana trading application, using it to package their malware. Four different brandings were used in the observed campaigns, namely Cointrazer, Cupatrade, Licatrade and Trezarus.

The GMERA Trojan was designed to steal various types of information from the compromised machines, including browser cookies, cryptocurrency wallets, and even screenshots.

More recent versions of macOS, however, limit the attackers’ ability to take screenshots by requiring the user’s explicit consent to finalize the action. Regardless, the hackers haven’t tried to circumvent that limitation, ESET notes.

What is yet uncertain is how exactly the attackers are promoting their malicious applications. Most likely the hackers are using social engineering to trick users into installing the malware. In March, Kattana issued an alert on hackers contacting victims individually to lure them into downloading the trojanized apps.

“Copycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know Kattana, the websites do look legitimate,” ESET notes.

The cybercriminals also used digital certificates to sign their applications, and it appears that they acquired the certificates specifically for these attacks. Apple has already removed the offending certificates.

GMERA uses reverse shell backdoors to allow interaction with the operators. The malware uses HTTP for communication with the command and control (C&C) server, but no commands were seen being issued via this channel, as all of them were being served through the reverse shells.

The attackers only proceed to exfiltrate data from systems that are considered of interest. Files selected for exfiltration are compressed in a ZIP archive and sent to a server controlled by the attackers via HTTP.

“The numerous campaigns run by this group show how much effort they’ve expended over the last year to compromise Mac users doing online trading. We still aren’t sure how someone becomes a victim, downloading one of the trojanized applications, but the hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” ESET concludes.

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: Mac Malware Poses as Trading App

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities