Mac Malware Pretends To Be Share-Trading App

Security researchers have warned that a malware variant is making use of legitimate share-trading software to invade Mac users’ systems.

The two known variants of the malware, which Trend Micro identifies as Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B, both include a copy of Stockfolio, a legitimate application for trading shares and cryptocurrencies.

The malware is, however, signed with the malware developer’s own digital signature.  Apple told Trend the code signing certificate involved was revoked in July of this year.

When users launch the application, it runs as expected, but a hidden app also runs in the background, Trend said.

Data theft

The malware’s main known activity involves sending data from the system to a remote server, but version A also tries to execute a second application file whose purpose remains unknown, since Trend was unable to decrypt the file.

Both variants collect data from the system, including username, IP address, files in the Desktop and Documents folders and screenshots.

Version B also creates a reverse shell on the system, allowing the attacker to remotely run shell commands.

Persistence

In addition, it establishes persistence on the system via a property list (plist) file, which re-creates the reverse shell every 10,000 seconds, or slightly less than three hours.

Trend said the alterations in version B indicate the malware’s developers are “looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future”.

The company warned users not to download applications from unknown or suspicious websites.

“We recommend that users only download apps from official sources to minimize chances of downloading a malicious one,” the firm said in its advisory.