A Mac Trojan focused on stealing users’ information was found masquerading as a legitimate trading application, Trend Micro’s security researchers report.
Detected by Trend Micro products as Trojan.MacOS.GMERA, the software poses as the Mac-based trading app Stockfolio, but contains shell scripts that allow it to perform malicious activities. To date, two malware samples were discovered, revealing an evolution of the threat.
The first sample is a ZIP archive file containing an app bundle (Stockfoli.app) and a hidden encrypted file (.app). A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive.
When executed, the threat displays a trading app interface on the screen, but it also executes bundled shell scripts in the Resources directory, the researchers discovered.
The first of the scripts is in charge of collecting a broad range of information on the infected system, including username, IP address, apps in /Applications, files in ~/Documents, files in ~/Desktop, OS installation date, file system disk space usage, graphics/display information, wireless network information, and screenshots.
The collected data is encoded and saved in a hidden file, then sent to the attackers’ server. If a response is received from the server, it would be written to another hidden file.
The second script executed by the malware is in charge of copying additional files, as well as with decoding and deleting some others. It also checks for the hidden file containing the server response and uses its content to decrypt a file that Trend Micro suspects contains additional malicious routines.
Also using a copy of Stockfolio version 1.4.13 to hide its malicious intent, the second s ..
Support the originator by clicking the read the rest link below.
