Cybercriminals are using rebranded cryptocurrency trading app like Kattana bundled with malware to target Apple Mac users
ESET researchers have found new instances of the GMERA malware campaign targeting Apple MacBook and macOS users. They found that the new instances had malware bundled into a legitimate-looking cryptocurrency trading App like Kattana. The malware creators are also using Apps like Cointrazer, Cupatrade, Licatrade, and Trezarus and targeted only Apple macOS users.
GMERA campaign was first noticed by Trend Micro researchers in September 2019. Their analysis found that the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. ESET discovered that in the new samples of malware, not only did the malware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website. In addition to the analysis of the malware code, ESET researchers have also set up honeypots to try to reveal the motivations behind this group of criminals.
The malware authors create a legitimate-looking Copycat website dealing in cryptocurrency. The website makes the bogus malware-laden app download look legitimate. Once, the Apple Mac user downloads and runs the App, the malware is installed. The ESET researchers say that the App then copies following Apple Mac user’s files and sends them back to the command and control server.
- Browser information (cookies, history)
- Cryptocurrency wallets
- Screen captures
The ESET researchers say that GMERA operators are attacking only the most recent version of macOS.