Researchers have uncovered two variants of information-stealing Mac malware that impersonates a legitimate stocks and cryptocurrency trading application.
The two variants, identified by Trend Micro as Trojan.MacOS.GMERA.A and Trojan.MacOS.GMERA.B, both include a copy of Stockfolio version 1.4.13, along with the malware author’s digital certificate and various malicious components.
The first variant’s components include a Mach-O (Mach object file format) executable, which launches a pair of bundled shell scripts in the Resources directly. The “plugin” shell script secretly collects victims’ usernames, IP addresses, applications, files in the Documents and Desktop folders, OS installation data, file system disk space, graphic/display information, wireless network details and screenshots It then saves that ended information in a hidden file, and uploads it to a URL, as well as another hidden file if the URL responds.
The “stock” shell script, meanwhile, goes through a series of processes to ultimately decrypt and execute “appcode,” a suspected malware file that likely contains additional routines. Trend Micro was unable to decrypt this file to study it further.
Support the originator by clicking the read the rest link below.
