Mac cryptocurrency trading application rebranded, bundled with malware
Contents
ESET researchers lure GMERA malware operators to remotely control their Mac honeypots
We’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. This time, however, not only did the malware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website. We have seen the following fictitious brandings used in different campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to the analysis of the malware …
We’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. This time, however, not only did the malware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website. We have seen the following fictitious brandings used in different campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to the analysis of the malware …
IoC
193.37.212.97
193.37.214.7
1BC8EA284F9CE5F5F68C68531A410BCC1CE54A55
2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B
4C688493958CC7CCCFCB246E706184DD7E2049CE
560071EF47FE5417FFF62CB5C0E33B0757D197FA
575A43504F79297CBFA900B55C12DC83C2819B46
85.209.88.123
85.217.171.87
9C0D839D1F3DA0577A123531E5B4503587D62229
AF65B1A945B517C4D8BAAA706AA19237F036F023
B8F19B02F9218A8DD803DA1F8650195833057E2C
BDBD92BFF8E349452B07E5F1D2883678658404A3
DA1FDA04D4149EBF93756BCEF758EB860D0791B0
E5D2C7FB4A64EAF444728E5C61F576FF178C5EBF
F6CD98A16E8CC2DD3CA1592D9911489BB20D1380
http://193.37.212.97
http://stepbystepby.com/link.php
https://file.io
https://support-sp.apple.com/sp/product
[email protected]
193.37.214.7
1BC8EA284F9CE5F5F68C68531A410BCC1CE54A55
2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B
4C688493958CC7CCCFCB246E706184DD7E2049CE
560071EF47FE5417FFF62CB5C0E33B0757D197FA
575A43504F79297CBFA900B55C12DC83C2819B46
85.209.88.123
85.217.171.87
9C0D839D1F3DA0577A123531E5B4503587D62229
AF65B1A945B517C4D8BAAA706AA19237F036F023
B8F19B02F9218A8DD803DA1F8650195833057E2C
BDBD92BFF8E349452B07E5F1D2883678658404A3
DA1FDA04D4149EBF93756BCEF758EB860D0791B0
E5D2C7FB4A64EAF444728E5C61F576FF178C5EBF
F6CD98A16E8CC2DD3CA1592D9911489BB20D1380
http://193.37.212.97
http://stepbystepby.com/link.php
https://file.io
https://support-sp.apple.com/sp/product
[email protected]