Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

More Fake Cryptocurrency Apps Deliver GMERA Malware to Mac Users

Security researchers at ESET have identified a new campaign targeting Mac users with trojanized cryptocurrency trading apps designed to deliver the GMERA malware.

Security researchers at ESET have identified a new campaign targeting Mac users with trojanized cryptocurrency trading apps designed to deliver the GMERA malware.

Previous attacks involving this malware family were observed leveraging malicious versions of the trading app Stockfolio, and security researchers also associated the GMERA Trojan with the activities of North Korean hackers.

Recently identified campaigns featuring the malware involved the use of several websites that distributed malicious applications claiming to provide cryptocurrency trading capabilities.

The cybercriminals built their malicious programs using the Kattana trading application, using it to package their malware. Four different brandings were used in the observed campaigns, namely Cointrazer, Cupatrade, Licatrade and Trezarus.

The GMERA Trojan was designed to steal various types of information from the compromised machines, including browser cookies, cryptocurrency wallets, and even screenshots.

More recent versions of macOS, however, limit the attackers’ ability to take screenshots by requiring the user’s explicit consent to finalize the action. Regardless, the hackers haven’t tried to circumvent that limitation, ESET notes.

What is yet uncertain is how exactly the attackers are promoting their malicious applications. Most likely the hackers are using social engineering to trick users into installing the malware. In March, Kattana issued an alert on hackers contacting victims individually to lure them into downloading the trojanized apps.

“Copycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know Kattana, the websites do look legitimate,” ESET notes.

Advertisement. Scroll to continue reading.

The cybercriminals also used digital certificates to sign their applications, and it appears that they acquired the certificates specifically for these attacks. Apple has already removed the offending certificates.

GMERA uses reverse shell backdoors to allow interaction with the operators. The malware uses HTTP for communication with the command and control (C&C) server, but no commands were seen being issued via this channel, as all of them were being served through the reverse shells.

The attackers only proceed to exfiltrate data from systems that are considered of interest. Files selected for exfiltration are compressed in a ZIP archive and sent to a server controlled by the attackers via HTTP.

“The numerous campaigns run by this group show how much effort they’ve expended over the last year to compromise Mac users doing online trading. We still aren’t sure how someone becomes a victim, downloading one of the trojanized applications, but the hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” ESET concludes.

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: Mac Malware Poses as Trading App

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.