Cloud Hosting

IT News Online Staff2020-07-17

ESET researchers have recently discovered websites distributing trojanized cryptocurrency trading applications for Mac computers. These were legitimate apps wrapped with GMERA malware, whose operators used them to steal information, such as browser cookies, cryptocurrency wallets and screen captures.

"As in previous campaigns, the malware reports to a Command & Control server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address," said ESET Researcher Marc-Etienne M.Lveill, who led the investigation into GMERA.

ESET said its researchers have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, legitimate Kattana site posted a warning suggesting that victims are approached individually to lure them to download a trojanized app, thus pointing to social engineering. Copycat websites are set up to make the bogus application download look legitimate. The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.

In addition to the analysis of the malware code, ESET researchers have also set up honeypots (research computers) and lured GMERA malware operators to remotely control the honeypots. The researchers' aim was to reveal the motivations behind this group of criminals.

"Based on the activity we have witnessed, we can confirm that the attackers have been collecting browser information, such as cookies and browsing history, cryptocurrency wallets and screen captures," said M.Lveill.

For more technical details on the latest GMERA malicious campaign, read the full blogpost, "Mac cryptocurrency trading application rebranded, bundled with malware," on WeLiveSecurity.

More:
ESET Discovers Trojanized Mac Cryptocurrency App Collecting Wallets and Screenshots - IT News Online