Apple macOS users are being targeted in a fresh campaign aiming to pilfer cryptocurrency from their wallets.
Trojanized cryptocurrency trading software and applications designed for Apple’s operating system have been spotted recently by ESET researchers, who detailed their findings in a blog post on Thursday.
The Trojanized applications are being offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has created a desktop terminal app for crypto trades.
ESET is not sure of the exact infection attack vector, but it does appear that social engineering is in play, especially considering Kattana’s warning in March that users were being directly approached to download malware-laden apps. Copycat websites claiming to be versions of Kattana have also been spotted.
“The hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” the researchers say.
Four rebranded versions of the legitimate Kattana app have been tracked so far — named Cointrazer, Cupatrade, Licatrade, and Trezarus — which do facilitate trading but also include a Gmera installer bundled in the software.
Researchers from Trend Micro published an analysis of Gmera back in 2019. The malware was previously found bundled in another Mac trading app called Stockfolio.
Upon execution, Gmera first connects to a command-and-control (C2) center over HTTP and then connects remote terminal sessions to another C2 via a hardcoded IP address.
Using the Licatrade sample as the basis for analysis — although there are slight variations in each rebranded type — ESET noted that a shell script is first deployed to create the C2 connection, as well as to maintain persistence by installing a Launch Agent.
However, the Launch Agent is broken in Licatrade. The attackers intended to open a reverse shell from the victim machine to an attacker-controlled server, but in other versions of the Trojanized app, the persistence mechanism works.
Much of the legitimate Kattana terminal was left intact, including a login mechanism required by the app to link wallets and trading — a feature that the fraudsters can take advantage of to access victim wallets.
In the reconnaissance stage, the malware will pull machine data and will also list available Wi-Fi networks as honeypots will likely have this form of connectivity disabled. Gmera will also scan for virtual machines and will take a screenshot to see what version of macOS is in use.
The operators intended to skip this check if Catalina is installed as users must approve screenshots or screen recordings each time — and so if the check goes ahead, this would throw up a suspicious warning. However, errors in the malware’s code mean that regardless of the OS, the screenshot is taken.
TechRepublic: Software-defined perimeters may be the solution to remote work security concerns
“It is interesting to note how the malware operation is more limited on the most recent version macOS,” ESET added. “We did not see the operators try to circumvent the limitation surrounding screen captures. Further, we believe that the only way that they could see the computer screen on victim machines running Catalina would be to exfiltrate existing screenshots taken by the victim.”
The data theft then begins. Reverse shells are used to exfiltrate browser cookies, browsing histories, and cryptocurrency wallet credentials.
The certificate used to sign off the software was set to Andrey Novoselov and was issued by Apple on April 6. The iPad and iPhone maker revoked the certificate on May 28 after being made aware of how it was being abused.
CNET: Google targets stalkerware in updated ad policy
In each campaign traced by ESET, a different macOS certificate — since revoked — was in play.
“In the case of Cointrazer, there were only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their Trojanized application,” the researchers say. “This, and the fact that we didn’t find anything else signed with the same key, suggests they got the certificate explicitly for that purpose.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0