Mac users are the target of a new campaign - the Gmera Trojan malware - which aims to remove encryption from their wallets.
Trojanized cryptocurrency trading software and applications designed for Apple's operating system were recently spotted by ESET researchers, who detailed their findings in a post Thursday.
Trojanized applications are offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has developed a terminal application for desktop computers for encryption transactions.
ESET is not sure about the exact vector of the attack, but it seems that social engineering is the method used to approach users. In fact, in March, Kattana issued a warning stating that users were approached to download malware. Copycat sites claiming to be versions of Kattana were also found.
"Operators are more likely to come into direct contact with their targets to persuade them to install the malicious application," say the researchers.
Four rebranded versions of the legal Kattana application have been identified - called Cointrazer, Cupatrade, Licatrade and Trezarus - which facilitate transactions, but also include a Gmera installer built into the software.
Researchers from Trend Micro published an analysis of Gmera in 2019. The malware was previously found in another Mac trading application called Stockfolio.
During execution, Gmera first connects to a command and control center (C2) via HTTP and then connects remote terminal sessions to another C2 via a hardcoded IP address.
Using the Licatrade sample as a basis for analysis - although there are small variations in each brand name - ESET noted that a shell script is developed to establish the C2 connection, as well as to maintain persistence by installing a Launch Agent.
However, Launch Agent is damaged in Licatrade. The intruders intended to open a shell script from the victim's machine into one server that they would control themselves, but in other versions of the Trojanized application, the persistence mechanism works.
Much of Kattana's legal terminal remained intact, including a mechanism connection required by the application to link wallets and transactions - a feature that crooks can take advantage to gain access to victims' wallets.
In the detection stage, the malware will extract computer data and display the available networks Wi-Fi, as honeypots will most likely disable this connection form. Gmera will also scan for virtual machines and take a screenshot to see which version of macOS is being used.
Operators intended to skip this check if Catalina is installed as users have to approve screenshots or recordings each time - and so if the check went ahead, it would raise suspicions. However, errors in malware code mean that regardless of operating system, the screenshot is taken.
Then the data theft begins. Shell scripts are used to export browser cookies, browser history and wallet credentials.