GMERA Malware Targets Cryptocurrency Apps On MacOS

Cryptocurrency and blockchain technology are revolutionary advances. But with every transaction operated online through an application, it poses a serious threat from cyber crooks. Recently, macOS users were victimised as threat actors spoofed legitimate trading software and forced users to install them through copycat websites. The threat actors wrapped up the Kattana trading application and many other with GMERA malware letting attackers gain privileges to run nefarious activities to exfiltrate crypto data. The alarming aspect of the attack is that it is the second campaign run by the same malware!
Malware campaigns less likely target Mac systems. Windows machines are easy targets as Windows has a considerate market share as compared to Mac. Moreover, a single designed malware can affect millions of system at once by crawling through the network in Windows. And this is less likely the case with Mac systems due to less market share and comparatively low number of targets. Many people have the notion of MacOS being invulnerable to malware or notorious cyber practice. But that is not the case.
The recent attacks show that the same malware which attacked macOS a year back has again targetted the system indicating that after rectification macOS stays vulnerable.

GMERA Malware

The malware first appeared in September 2019 masquerading as a popular trading app: Stockfolio stealing user information including browsing history, cryptocurrency credentials and taking screenshots. That time two variants of the malware was in use: Trojan.MacOS.GMERA.AandTrojan.MacOS.GMERA.B.
The GMERA authors are known to infect systems by tricking users to install the malware through counterfeit applications or by tampering the legitimate applications, wrapping the malware and posing as genuine products.
The recent campaign included some of the malicious scripts seen in the Stockfolio samples with some updated in the code. Researchers said that the malware is likely to be operated by threat actors from Noth Korea.


The hackers behind the campaign use social engineering techniques to penetrate a system. Using copy cat websites to trick macOS users to download malicious trading apps. Users who don’t know Kattana, the website looked legit to them.
The legitimate Licatrade cryptocurrency trading website (left) looks similar to the Trojanized Licatrade site (right), which hides the Gmera malware.
The legitimate Licatrade cryptocurrency trading website (left) looks similar to the Trojanized Licatrade site (right), which hides the Gmera malware.
The significant reason for users falling prey to downloading the malicious applications is that the apps look legitimate and so does the website used. The hackers rebranded the Kattana trading software versions which included Cointrazer, Cupatrade, Licatrade and Trezarus.
In March, Kattana issued an alert on hackers contacting victims individually to lure them into downloading the trojanized apps.
To increase credibility, cybercriminals used digital certificates to sign their applications. Though after investigation, Apple immediately removed the certificates which the attackers acquired specifically for the attack.

Usual Drill

Upon penetration, GMERA malware first connects to the command-and-control server (C2) using HTTP for establishing communication with the attackers’ server. It also connects itself to another C2 server via a hardcoded IP address. To maintain persistency, the threat actors also installed a Launch Attack.
The operators also pull machine data and also get the available WiFi networks and scans for a virtual machine on the host system. The GMERA malware can also take screenshots to check which operating system is in action.
A limitation to the malware is that it skipped the activity of taking screenshot if Catalina is installed on the host device. This is because this version of the macOS requires explicit user permission to grab a screenshot. And this could get the users suspicious in the case of GMERA.
Relatively safer macOS: Catalina
Relatively safer macOS: Catalina
By employing reverse shell backdoors, attackers can execute a series of nefarious activities including exfiltration of browsing data and cryptocurrency wallet credentials.
If the macOS installed on the system is Catalina, GMERA malware exfiltrated the existing screenshots present on the system.
GMERA malware targets only those which are of interest and compresses them into a ZIP file and sent to the attackers’ server via HTTP.

Words of caution

  • Users should always download applications from legit sources to reduce the risks of being compromised. But also keep an eye on the websites which may legit.
  • Keep a check on the permissions you grant to the applications on your system. Don’t provide permissions needlessly. Take time and read the permissions an app asks for. A trading app doesn’t need permission to record screen!
  • Always have a genuine antivirus and always keep it updated.
The notions that MacOS is invulnerable to malware and virus attacks is wrong. Mac machines have seen a 400% increase in cyber threats from 2018. So keep ourself updated and remain safe.

- Advertisement -

Ayush Dubey
Ayush Dubey
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.

- Advertisement -

Latest articles

Related articles