Mac Malware Masquerades As Trading App To Steal Information

• Displayed as a trading app on the screen, the malware executes bundled shell scripts in the Resources directory.
• Apple said that the code signing certificate of this fake app developers was revoked back in July 2019.

An overview: The popularity of trading apps and the ability of users to trade without interacting with any personnel gives cybercriminals an opportunity to trick unsuspecting victims by faking such apps. As a result, the trapped victims are looted off their personal data.

Trend Micro researchers reported Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B as two variants of the same malware family. The first sample contains shell scripts that allow it to perform malicious activities by connecting to a remote site to decrypt the encrypted codes. The other instance appears to be straight-forward in its routine but is, in fact, persistent in nature and avoids detection and removal.

How the trojan operates: The researchers found that, upon execution of the app, a trading app interface appears on the screen, while it also executes bundled shell scripts in the Resources directory.

• The first sample, Trojan.MacOS.GMERA.A is a ZIP archive file containing an app bundle (Stockfoli.app) and a hidden encrypted file (.app).
• A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive.
• The first of the scripts collects information on the infected system such as IP address, apps & files saved, and other settings to be sent to the attackers’ server. If a response is received from the server, it would be written to another hidden file.
• Malware then runs a second script that copies additional files, and also decode and delete others.
• It checks for the hidden file containing the server response and uses its content to decrypt a file that contains additional malicious routines, as Trend Micro suspects.
• The second sample, Trojan.MacOS.GMERA.B, reportedly contains a much simpler routine; its single script collects usernames and IP addresses from the infected machines and send the information to the attackers’ server.
• It drops several files and creates a simple reverse shell (on ports 25733-25736) to the command and control (C&C) server, allowing hackers to execute shell commands on the infected host.
• The sample also includes a persistence mechanism, via the creation of a property list (plist) file that creates the reverse shellcode every 10,000 seconds.

What can it do: The malware launches attack on Mac from all sides, working together with potentially unwanted programs and malicious browser extensions.

• Threat mostly infects systems of the users during accessing porn or torrent websites, downloading third-party freeware programs, installing a fake adobe player updates and similar malicious activities.
• The malware infects the browser and change the homepage by downloading malicious browser extension.
• It can disable security-related programs and make systems vulnerable to other threats
• Once inside the computer, it is capable of running a fake scan of Mac and throw fake warning messages along with voice alert.

“Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future,” concluded the Trend Micro researchers.