Trend Micro: The Trojan.MacOS.GMERA poses as Stockfolio, a legitimate trading app, to steal user information on Mac
Trojan.MacOS.GMERA is a malware disguised as a legitimate trading app for Mac. It has been discovered by Trend Micro cyber security experts. The cybercrime software poses as Stockfolio, but contains shell scripts that allow it to perform malicious activities. To date, two variants were discovered. The first one is a ZIP archive file containing an app bundle and a hidden encrypted file. A copy of the legitimate app signed with the malware developer’s digital certificate is included in the archive. If executed, it displays a trading app interface, but also executes bundled shell scripts in the Resources directory.
Which data are at risk
The first script collects many information on the infected system. These include username, IP address, apps in /Applications, files in ~/Documents, files in ~/Desktop, OS installation date, file system disk space usage, graphics/display information, wireless network information, and screenshots. The stolen data are encoded and saved in a hidden file, then sent to the attackers’ server. If a response is received from it, it would be written to another hidden file. The second script executed copies additional files, and decodes and deletes others. It also checks for the hidden file containing the server response and uses its content to decrypt a file that could host additional malicious routines.
The cyber security experts: There are two variants of the malware
According to the cyber security experts, also the second variant of Trojan.MacOS.GMERA (B version) uses a copy of Stockfolio version 1.4.13 to hide its malicious intent. This, however, contains a much simpler routine. It would execute a single script meant to collect usernames and IP addresses from the infected machine and send the information to the cybercrime’ server. The malware also drops several files and creates a simple reverse shell (on ports 25733-25736) to the command and control (C&C) server, allowing hackers to execute shell commands on the infected host. The sample finally includes a persistence mechanism, via the compiling of a property list (plist) file that creates the reverse shell code every 10,000 seconds.
The Trend Micro conclusions on the cybercrime malicious code
Trend Micro detected a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future. In the meantime, the cyber security experts advise aspiring traders to practice caution when it comes to the programs they download. Especially if it comes from an unknown or suspicious website. They recommend that users only download apps from official sources to minimize chances of downloading a malicious one.