4 trojanised cryptocurrency-trading apps have been found spreading malware that steals from cryptocurrency ‘wallets’ & takes Mac users’ browsing data.
Mac users are now being targeted by trojanised cryptocurrency trading apps, which when downloaded drain victims’ cryptocurrency wallets, researchers have recently cautioned.
Phoney
The 4 phoney applications in question, Cointrazer, Cupatrade, Licatrade & Trezarus, claim to be rebranded copies of an actual cryptocurrency trading application offering called Kattana.
The scammers behind the campaign use websites that copy Kattana’s real website to convince unwitting cryptocurrency enthusiasts to download the fake apps. The false websites include a download button, & a link to a ZIP archive containing the trojanised application bundle.
Legitimate
“For a person who doesn’t know Kattana, the websites do look legitimate,” said Marc-Etienne M. Léveillé, senior malware researcher with ESET, in an analysis last week. “Not only did the malware authors wrap copies of the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website.”
When downloaded, the trojanised apps use malware named GMERA to take victims’ browser information, incl. their cookies & browsing history, access & drain their cryptocurrency wallets, & take screenshots of their devices.
GMERA was discovered by researchers with Trend Micro, who in September 2019 observed the malware was being spread by means of trojanised cryptocurrency apps in a different campaign, using malicious versions of the trading app Stockfolio.
Malicious Apps
The most recent campaign has moved on to use new, re-branded apps, researchers outlined, but, “as in the previous campaigns, the malware reports to a Command & Control server over HTTP & connects remote terminal sessions to another [C2] server using a hard-coded IP address.”
The 4 apps do have small differences, but the function is generally the same, researchers observed. When researching the Licatrade sample, researchers found that the application bundle includes a shell script (run.sh), which once downloaded launches & then tries to set up persistence on the victims’ system by installing a Launch Agent.
Launch Agent
However, “it’s interesting to note that persistence is broken in the Licatrade sample: the content of the resulting Launch Agent file (.com.apple.system.plist) isn’t in Property List format as launched expects, but instead is the command line to be executed,” commented Léveillé.
The final line of the shell script sets up a reverse shell to the operators’ server. This then allows attackers to send out the various malicious commands to the malware.
Licatrade was signed using a certificate using common name field set to “Andrey Novoselov” & using developer ID M8WVDT659T. The certificate was issued by Apple on April 6, 2020, & revoked the day that researchers notified Apple of the malicious application.
Timestamps
Researchers believe that this campaign began on April 15, 2020, because that was the date on both the modification timestamps of the files in the ZIP archive, the date the application was signed, & the last‑modified HTTP header when they downloaded the archive.
Swiss-based Kattana has also warned of malicious, re-branded apps, posting a warning on Twitter suggesting that its users were “approached” individually to tempt them into downloading a “malicious copycat service” of its software.