Experts of the company ESET has discovered a Trojan GMERA stealing cryptocurrency traders. The SOFTWARE is distributed under the guise of applications for trading crypto assets on Apple MacOS.
ESET, a cybersecurity company, reported that malware is integrated into fake cryptocurrency trading applications. After installing such extensions, it starts stealing digital assets from user wallets. Attackers pose as the Kattana trading platform. They copied the service’s website and promote their SOFTWARE under the guise of four apps: Cointrazer, Cupatrade, Licatrade and Trezarus. The Trojan was first detected by the trend Micro antivirus company in September 2019. At that time, GMERA was distributed in the form of a Stockfolio app for stock market investments.
ESET experts reported that when downloading apps from a fake site, the user downloads a ZIP folder with an infected version of the app. Moreover, these applications fully support trading functions. Experts added that a person who does not use the original Kattana services, fake sites may not arouse suspicion. Hackers use social engineering by contacting potential victims directly. ESET analyzed malware using the example of the Licatrade application, with which GMERA has only minor differences.
The Trojan installs a shell script on the victim’s computer that gives hackers access to the user’s system through a downloaded application. This scenario allows attackers to create command servers over HTTP, which allows them to exchange data with the victim’s device. GMERA steals a user’s personal data, information about their cryptocurrency wallets, location, and screen shots. ESET specialists reported this problem to Apple, after which the Corporation revoked the certificate issued by Licatrade on the same day.
Recall that in April, Google removed 49 Chrome browser extensions that were distributed as utilities for working with cryptocurrency wallets, but contained malicious code. Later, Google removed another 22 extensions that steal the cryptocurrency.