ESET specialists discovered the GMERA Trojan, which steals cryptocurrencies from traders. The software is distributed under the guise of crypto asset trading applications on Apple MacOS.
ESET, a cybersecurity company, said malware has been integrated into fake cryptocurrency trading applications. After installing these extensions, it begins to steal digital assets from user wallets. Attackers impersonate the Kattana trading platform. They copied the site of the service and promote their software under the guise of four applications: Cointrazer, Cupatrade, Licatrade and Trezarus. The Trojan was first discovered by the antivirus company Trend Micro in September 2019. At that time, GMERA was distributed in the form of a Stockfolio application for stock market investments.
ESET experts said that when downloading applications from a fake site, the user downloads a ZIP folder with the infected version of the application. Moreover, these applications fully support trading functions. Experts added that for a person who does not use the original Kattana services, fake sites may not cause suspicion. Hackers use social engineering in direct contact with potential victims. ESET analyzed malware using the Licatrade application as an example, with which GMERA has only minor differences.
The Trojan installs a shell script on the victim’s computer that provides hackers with access to the user’s system through the downloaded application. This scenario allows attackers to create command servers via HTTP, which makes it possible to exchange data with the victim’s device. GMERA steals the user’s personal data, information about his cryptocurrency wallets, location, as well as screenshots. ESET specialists reported this problem to Apple, after which the corporation withdrew the certificate issued by Licatrade on the same day.
Recall that in April Google removed 49 Chrome browser extensions, which were distributed as utilities for working with cryptocurrency wallets, but contained malicious code. Google later removed another 22 extensions that stole cryptocurrencies.
