by Luis Magisa
Unlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker — a move which often meant additional fees for would-be traders — the rise of trading apps placed the ability to trade in the hands of ordinary users. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for unsuspecting victims to steal their personal data. We recently found and analyzed an example of such an app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.
We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually incorporates a persistence mechanism.
Sample 1: Trojan.MacOS.GMERA.A
We found the first sample (detected as Trojan.MacOS.GMERA.A) while checking suspicious shell scripts that were flagged by our machine learning system. At first glance, it was challenging to directly identify its malicious behavior because the shell script references other files such as AppCode, .pass and .app. To verify that the behavior was indeed malicious, we sourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked detections from other major security vendors at the time of writing).
Figure 1. The suspicious shell script which was flagged by our syste ..
Support the originator by clicking the read the rest link below.
