Mac Cryptocurrency Traders Targeted by Trojanized Apps

Mac Cryptocurrency Traders Targeted by Trojanized Apps

Four trojanized cryptocurrency trading apps have been found spreading malware that drains cryptocurrency wallets and collects Mac users' browsing data.

Mac users are being targeted by trojanized cryptocurrency trading apps, which once downloaded actually drain victims’ cryptocurrency wallets, researchers warn.

The four fake applications in question, Cointrazer, Cupatrade, Licatrade and Trezarus, claim to be rebranded copies of an actual cryptocurrency trading application offering called Kattana. The actors behind the campaign used websites that copy Kattana’s legitimate website to convince unwitting cryptocurrency enthusiasts to download the fake apps. The bogus websites include a download button, with a link to a ZIP archive containing the trojanized application bundle.

“For a person who doesn’t know Kattana, the websites do look legitimate,” said Marc-Etienne M. Léveillé, senior malware researcher with ESET, in an analysis last week. “Not only did the malware authors wrap [copies of] the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website.”

Once downloaded, the trojanized apps in question deploy malware called GMERA to collect victims’ browser information (including their cookies and browsing history), access and drain their cryptocurrency wallets and take screenshots of their devices.

GMERA was previously uncovered by researchers with Trend Micro, who in September 2019 said the malware was being spread via trojanized cryptocurrency apps in a separate campaign, leveraging malicious versions of the trading app Stockfolio.

Malicious Apps

This most recent campaign has evolved to use new, rebranded apps, researchers said – however, “as in the previous campaigns, the malware reports to a [Command and Control] server over HTTP and connects remote terminal sessions to another [C2] server using a hardcoded IP address.”

The four apps in question have minor differences, but the functionalities are generally the same, researchers said. In a deep-dive of the Licatrade sample, researchers found that the application bundle includes a shell script (run.sh), which once downloaded launches and attempts to set up persistence on the victims’ system by installing a Launch Agent.

Mac cryptocurrency fake app

However, “it’s interesting to note that persistence is broken in the Licatrade sample: the content of the resulting Launch Agent file (.com.apple.system.plist) isn’t in Property List format as launchd expects, but instead is the command line to be executed,” said Léveillé.

The last line of the shell script sets up a reverse shell to the operators’ server, which then allows attackers to send out the various malicious commands to the malware.

Licatrade was signed using a certificate with the common name field set to “Andrey Novoselov” and using developer ID M8WVDT659T. The certificate was issued by Apple on April 6, 2020, and revoked the same day that researchers notified Apple of the malicious application.

Researchers believe that this campaign started on April 15, 2020, as that was the date on both the modification timestamps of the files in the ZIP archive, the date the application was signed, and the last‑modified HTTP header when they downloaded the archive.

Switzerland-based Kattana has also previously warned of malicious, rebranded apps, posting a warning on Twitter suggesting that its users were “approached” individually to lure them into downloading a “malicious copycat service” of its software.

mobile security catalina cryptocurrency cryptocurrency app cupatrade fake cryptocurrency app kattana licatrade and trezarus mac macos malicious app ointrazer

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How To Succeed In Mobile App Wireframe Design?

This article covers everything about mobile app wireframe design: what to do and what not, tools used in designing a mobile or web app wireframe, and more.

Hire Mobile App Developers in USA

AppClues Infotech is the best mobile app development company in New York that offers custom mobile app development & design services for Android and iOS.

Mobile App Development North Carolina

Mobile App Development North Carolina In the era of globalization, technology has forced the businesses and industries to jump into the space of competition. Technology has both tangible and intangible benefits that help businesses from different ind...

Top 7 Mobile App Development Companies in Delhi NCR

Looking for a Mobile app development company in Delhi NCR? Here it a list of top mobile app development companies in Delhi for Android & iOS app Development.

How many mobile app development companies are there in the USA?

WebClues Infotech is a leading website and mobile development services company. We specialize in full stack development services as well as iOS and Andriod app creation.