ESET specialists have discovered the GMERA Trojan, which steals cryptocurrencies from traders. The software is distributed under the guise of applications for trading cryptoassets on Apple MacOS.
Cybersecurity company ESET reported that malware is integrated into fake cryptocurrency trading applications. After installing such extensions, it starts stealing digital assets from user wallets. Attackers impersonate the Kattana trading platform. They have copied the site of the service and are promoting their software under the guise of four applications: Cointrazer, Cupatrade, Licatrade and Trezarus. The Trojan was first detected by Trend Micro antivirus company in September 2019. At the time, GMERA was being distributed in the form of the Stockfolio app for stock market investments.
ESET experts reported that when downloading applications from a fake site, the user downloads a folder in ZIP format with an infected version of the application. Moreover, these applications fully support trading functions. The experts added that a person who does not use the original Kattana services may not arouse suspicion of fake sites. Hackers use social engineering to directly contact potential victims. ESET analyzed the malware using the example of the Licatrade application, with which GMERA has only minor differences.
The Trojan installs a shell script on the victim's computer that provides hackers with access to the user's system through the downloaded application. This script allows attackers to create C&C servers over HTTP, which enables them to communicate with the victim's device. GMERA steals the user's personal data, information about his cryptocurrency wallets, location, as well as screenshots. ESET reported the issue to Apple, after which the corporation withdrew the certificate issued by Licatrade on the same day.
As a reminder, in April, Google removed 49 Chrome browser extensions that were distributed as utilities for working with cryptocurrency wallets, but contained malicious code. Google later removed 22 more extensions that stole cryptocurrencies.
