The malicious Stockfoli application masks under legitimate exchange program for macOS and steals user data.This was reported by information security experts from Trend Micro, who studied two variants of the GMERA malware involved in cyberattacks.
Researchers drew attention to a suspicious shell script detected by an antivirus scanner.
The program was not detected as malicious because it accessed external files with legitimate extensions. After examining the resulting sample, the experts found a ZIP archive containing the Stockfoli.app application and a hidden encrypted .app file.
“The installation kit, identified as Trojan.MacOS.GMERA.A, included a modified copy of the legitimate stock trading application Stockfolio, signed by the malware author’s security certificate”, – said Trend Micro experts.
After starting the program, the user saw the interface of the exchange client, while the trojan in the background executed two scripts.
The plugin script collected information from the victim’s computer about the username, IP address, saved screenshots and files in a number of folders, as well as system information. The stolen data was encoded according to the Base64 standard and sent to the attacker server.
The stock script created a copy of the appcode folder from the malware distribution and tried to decrypt the .app file contained in the original archive. Researchers could not restore this object because the web resource on which the AES key was stored was unavailable. Information security experts suggest that the file is designed to deliver additional payload or implement other malicious functions.
By searching the certificate used to sign the malware, analysts discovered another strain of it, Trojan.MacOS.GMERA.В. A sample that restarted the malware shell every 10,000 seconds was uploaded to the VirusTotal portal in June this year.
“GMERA is currently under development, and its authors are testing various functions that allow them to remain on an infected computer for a long time”, – say, Trend Micro experts.
Apple representatives said that the developer’s certificate, which was used by attackers, was uploaded in July this year.