ESET researchers analyze malware in trading programs for cryptocurrencies
The fact that Mac users are not the target of malware attacks and cyber criminals has long been considered an old wives' tale among experts. ESET researchers have once again uncovered and analyzed cybercrime activities targeting the macOS operating system. The Slovak IT security experts discovered manipulated crypto trading software on fake provider websites. The programs are all clones of a legitimate application that the malicious code distributors provided with the GMERA malware. For this purpose, the criminals misused the well-known Kattana trading software, renamed it and integrated the malware into their installation program. In addition, the perpetrators copied the manufacturer's website in order to trick visitors into installing the manipulated and malicious application. So far, ESET researchers have discovered four copies of the trading software on the Internet, which were sold under the following names: Cointrazer, Cupatrade, Licatrade and Trezarus.
"The malware reports to a Command & Control server via HTTP and creates a remote terminal session with another C&C server via a hard-coded IP address," said ESET researcher Marc-Etienne M.Léveillé, who led the investigation . "The goal of the criminals is to collect sensitive user data, such as browser data, crypto wallets and desktop screenshots."
Almost identical copy of software and website
The cyber criminals copied and renamed Kattana's website and trading software. As a rule, only the logo was changed on the websites. It is still unclear how and to what extent the criminals advertised and distributed the harmful trading programs. The experts of the European IT security manufacturer suspect that the copies were offered via social engineering. An indication of this: In March 2020, the official Kattana website published a warning indicating that victims are being targeted in order to trick them into downloading a malicious application. The download button on the fake websites links to a ZIP archive that contains the malicious application. None of the copies get into the Apple Store.
More on this at ESET Welivesecurity.com