Trojan.MacOS.GMERA software is presented as Mac-based Stockfolio application. In fact, it contains scripts, which allow malicious activity. So far, two versions of malware have been detected.
The first version it is one ZIP file, which contains an app bundle (Stockfoli.app) and a hidden encrypted file (.app).
When executing the file, at screen the transaction application is displayed. At the same time, however, the application runs shell scripts in the Resources directory.
The first script steals various information, such as IP addresses, applications, operating system installation date, disk information, graphic / display information, wireless information network and screenshots.
The second script copies other files while some decodes or even delete. In addition, it performs other malicious activities.
The second version of malware is much simpler. It uses a copy of the Stockfolio 1.4.13 version to hide its malicious activity. It does just a script that steals usernames and IP addresses and sends them to hackers.
In addition, it allows hackers to execute commands on the infected computer, by installing various files and creating a reverse shell (on ports 25733-25736) on the command and control server.
Trend Micro researchers noticed that malicious software has changed a lot lately. The original version differs greatly from the current one. The malware managers have simplified the process while adding more capabilities. Hackers can do much more damage to victim's computers and more easily than before. Researchers believe that the hackers behind it Trojan trying to make malware even more effective and dangerous.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.