A new trojan attack using malware called GMERA is targeting cryptocurrency traders who use trading applications on Apple’s macOS.
The internet security company ESET found that the malware comes integrated into legitimate-looking cryptocurrency trading applications and tries to steal users’ crypto funds from their wallets.
Copying the actual applications
The malware operators have integrated GMERA to the original macOS cryptocurrency trading application Kattana. They have also copied the website of the company and are promoting four new copycat applications — Cointrazer, Cupatrade, Licatrade and Trezarus — that come packed with the malware.
The fake websites have a download button which is linked to a ZIP archive containing the trojanized version of the app. According to ESET, these applications have full support for trading functionalities.
The malware in a nutshell
To analyze the malware, researchers tested samples from Licatrade, which they said has minor differences compared to the malware on other applications but still functions the same way.
The trojan installs a shell script on the victim’s computer that gives the operators access to the users’ system through the application. The shell script then allows the attackers to create command-and-control servers, also called C&C or C2, over HTTP between theirs and the victim’s system. These C2 servers help them consistently communicate with the compromised machine.
GMERA malware steals information such as user names, cryptocurrency wallets, location and screen captures from the users’ system.