GMERA Trojan Targets MacOS Users To Steal Cryptocurrencies
Malicious cryptocurrency trading software and applications designed for Apple's operating system have been spotted recently by ESET researchers, who detailed their findings in a blog post on Thursday. The applications are being offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has created a desktop terminal app for crypto trades. Most of the legitimate Kattana terminal was left intact, including a login mechanism required by the app to link wallets and trading.
Four versions of the legitimate Kattana app have been found so far, Cointrazer, Cupatrade, Licatrade, and Trezarus. Thses apps facilitate trading but also include a Gmera installer bundled in the software. After opening the program, Gmera first connects to a command-and-control center over HTTP and then connects remote terminal sessions to another C2 via a hardcoded IP address. A shell script is first used to create the C2 connection, as well as to maintain persistence by installing a Launch Agent.
The malware will pull data and will list available Wi-Fi networks. Gmera will also scan for virtual machines and will take a screenshot to see what version of macOS is in use. The hackers skip this check if Catalina is installed as users must approve screenshots or screen recordings each time. However, errors in the malware's code mean that regardless of the OS, the screenshot is taken.
Reverse shells are used to steal browser cookies, browsing histories, and cryptocurrency wallet credentials. The certificate used to sign off the software was set to Andrey Novoselov and was issued by Apple on April 6. The iPad and iPhone maker revoked the certificate on May 28 after being made aware of how it was being abused.