Information stealer for macOS Stockfoli masks itself as a trading program

The malicious Stockfoli application masks under legitimate exchange program for macOS and steals user data.

This was reported by information security experts from Trend Micro, who studied two variants of the GMERA malware involved in cyberattacks.

Researchers drew attention to a suspicious shell script detected by an antivirus scanner.

The program was not detected as malicious because it accessed external files with legitimate extensions. After examining the resulting sample, the experts found a ZIP archive containing the application and a hidden encrypted .app file.

“The installation kit, identified as Trojan.MacOS.GMERA.A, included a modified copy of the legitimate stock trading application Stockfolio, signed by the malware author’s security certificate”, – said Trend Micro experts.

After starting the program, the user saw the interface of the exchange client, while the trojan in the background executed two scripts.

Read also: Vulnerability in Harbor Container Registry gives attacker administrative privileges

The plugin script collected information from the victim’s computer about the username, IP address, saved screenshots and files in a number of folders, as well as system information. The stolen data was encoded according to the Base64 standard and sent to the attacker server.

The stock script created a copy of the appcode folder from the malware distribution and tried to decrypt the .app file contained in the original archive. Researchers could not restore this object because the web resource on which the AES key was stored was unavailable. Information security experts suggest that the file is designed to deliver additional payload or implement other malicious functions.

By searching the certificate used to sign the malware, analysts discovered another strain of it, Trojan.MacOS.GMERA.В. A sample that restarted the malware shell every 10,000 seconds was uploaded to the VirusTotal portal in June this year.

“GMERA is currently under development, and its authors are testing various functions that allow them to remain on an infected computer for a long time”, – say, Trend Micro experts.

Apple representatives said that the developer’s certificate, which was used by attackers, was uploaded in July this year.

Earlier it became known about another malware for macOS. OSX/Linker used an unclosed vulnerability in the Gatekeeper utility to run third-party code on an infected machine. While cybercriminals are only testing the operation of the bug, however, information security experts believe that if Apple developers do not release the patch, then soon a full-fledged malware should be released.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button