GMERA Trojan Does It Again; Targets MacOS Users To Steal Cryptocurrencies

Hackers are often seen using innovative techniques when attempting to target and steal from the cryptocurrency wallets. A fresh campaign was observed using trojanized cryptocurrency trading software and applications to target the users of a genuine application.

GMERA malware targets cryptocurrency wallets

Recently, the GMERA malware authors were seen using a malicious version of the legitimate cryptocurrency trading application called Kattana in their latest attacks.
  • The GMERA malware authors wrapped the legitimate Kattana application into a malicious application.
  • They also created promotional websites for distributing malicious cryptocurrency trading applications for Mac users with some rebranding using fake names such as Cointrazer, Cupatrade, Licatrade, and Trezarus.
  • The operators likely contacted their targets directly and manipulated them into installing the malicious application.
  • The malware used reverse shells to exfiltrate browser cookies, browsing histories, and cryptocurrency wallet credentials.


A brief history

This malware has been attempting to compromise Mac users involved in cryptocurrency trading for over a year.
  • GMERA malware was first observed in September 2019.
  • At that time, two variants of this malware named Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B were masquerading as the Stockfolio trading app to steal user information.
  • Some of the script files used in the latest campaigns were much similar to the Stockfolio samples, with some updates to include additional information.

Words of caution

Users should always download applications from official sources to minimize the chances of downloading a malicious variant. Keep a check on the permissions and resources requested by the apps while installation, and always use a reliable anti-malware program to remove or stop the malware from spreading further through an infected system.