Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Tricks of the trade: Mac malware impersonates trading app

Share

Researchers have uncovered two variants of information-stealing Mac malware that impersonates a legitimate stocks and cryptocurrency trading application.

The two variants, identified by Trend Micro as Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B, both include a copy of Stockfolio version 1.4.13, along with the malware author's digital certificate and various malicious components.

The first variant's components include a Mach-O (Mach object file format) executable, which launches a pair of bundled shell scripts in the Resources directly. The "plugin" shell script secretly collects victims' usernames, IP addresses, applications, files in the Documents and Desktop folders, OS installation data, file system disk space, graphic/display information, wireless network details and screenshots It then saves that ended information in a hidden file, and uploads it to a URL, as well as another hidden file if the URL responds.

The "stock" shell script, meanwhile, goes through a series of processes to ultimately decrypt and execute "appcode," a suspected malware file that likely contains additional routines. Trend Micro was unable to decrypt this file to study it further.

The second variant, upon being opened, immediately launches the shell script run.sh, which collects usernames and IP addresses using a pair of commands, and then executes that information to the attackers. It also drops more files, including a persistence mechanism and malware execution logs, before creating a reverse shell that allows the malware's authors to run shell commands.

Trend Micro said Apple told its researchers that it revoked the fake app authors' code-signing certificate last July.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.