Malicious Cryptocurrency Trading Apps Target MacOS Users

Account Takeover
Application Security

Researchers: Data-Stealing Malware Hidden in Spoofed Software

The legitimate Licatrade cryptocurrency trading website (left) looks similar to the Trojanized Licatrade site (right), which hides the Gmera malware. (Source ESET)

A group of spoofed cryptocurrency trading apps is targeting devices running macOS to install malware called Gmera, security firm ESET reports.

See Also: Live Webinar | Why APTs Can Be So Difficult To Find, Investigate, And Resolve

The Gmera malware, which was first spotted by security firm Trend Micro in September 2019, can steal users’ data, such as browser information, as well as their cryptocurrency wallets, according to ESET. The malicious code can also grab screenshots.

In the recent campaign that ESET found, the malware is hidden inside apps that spoof those made by the company Kattana that are used to buy and trade cryptocurrency, according to a new ESET report.

The ESET researchers say it’s unclear how these malicious apps are being spoofed or when this campaign started. Kattana, however, began warning customers in March that someone was attempting to copy the company’s apps and pass them off as legitimate.

“We still aren’t sure how someone becomes a victim, downloading one of the Trojanized applications, but the hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” Marc-Etienne M.Léveillé, the ESET researcher who conducted the analysis, notes in the report.

ESET researchers identified four Kattana cryptocurrency applications – Cointrazer, Cupatrade, Licatrade and Trezarus – that the malicious actors spoofed.

How the Malware Works

Once one of the spoofed apps is downloaded, the Gmera malware connects to a command-and-control server and then connects to a remote terminal session through another C&C server using a hardcoded IP address, according to the ESET report.

Once installed, the malware uses a shell script that is included in the resources of the application bundle, which sends a simple report to the C&C server and creates persistence by using a launch agent, according to the report.

The malicious actors copied much of the functionality of these four apps – including fields to input cryptocurrency wallet information and the ability to link a digital wallet to the app – which assists in stealing the data, according to the report.

Researchers also found that the fake Licatrade app was signed using a legitimate certificate issued by Apple on April 6.

The ESET team notified Apple about the abuse of the certification and it was revoked on the same day, the report notes.

The malicious actors, however, continued to abuse legitimate certificates for their fake apps. In the spoofed Cointrazer application, for example, the attackers signed their Trojanized application 15 minutes after Apple issued the certificate for the legitimate app, according to the report.

Once the malware is installed, it uses reverse shells to exfiltrate data and take screenshots, although ESET found that some of the screengrabs are not useful, which points to flaws in the malicious code, according to the report.

Similar Campaign

When Trend Micro published its report in September 2019, it found a similar campaign with the Gmera malware, which disguised itself as a legitimate Mac-based trading app called Stockfolio.

That campaign also used legitimate certificates, and Trend Micro notified Apple to have those revoked as well, according to the report.

“We advise aspiring traders to practice caution when it comes to the programs they download, especially if it comes from an unknown or suspicious website,” the Trend Micro report noted.