Shares tags: macOS, GMERA • Shares 1 IOC • Published within a week
Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website
2019-09-20 • Trend Micro •
Trend Micro analyzed GMERA macOS malware distributed as a fake trading application that mimicked the legitimate Stockfolio app to steal user information. One variant used shell scripts and remote decryption of encrypted code, while another incorporated a simpler routine with persistence. The malicious bundle placed a copied legitimate app inside its resources and abused code-signing differences to appear credible to victims. The activity illustrates how fake financial or trading apps can be used to deliver macOS backdoors and collect data from targeted users.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://appstockfolio.com/panel… | 2019-09-20 | 2020-01-01 |
| DOMAIN | appstockfolio.com | 2019-09-20 | 2020-01-01 |
| DOMAIN | owpqkszz.info | 2019-09-20 | 2020-01-01 |
| IPv4 | 193.37.212.176 | 2019-09-20 | 2020-01-01 |
| HASH | faa2799751582b8829c61cbfe2cbaf3… | 2019-09-20 | 2019-09-20 |
| HASH | 6f48ef0d76ce68bbca53b05d2d22031… | 2019-09-20 | 2019-09-20 |
| HASH | efd5b96f489f934f2465a185e43fddf… | 2019-09-20 | 2019-09-20 |
| HASH | 18e1db7c37a63d987a5448b4dd25103… | 2019-09-20 | 2019-09-20 |
| HASH | 83df2f39140679a9cfb55f9c839ff8e… | 2019-09-20 | 2019-09-20 |
| HASH | 6fe741ef057d38dd6d9bbe02dacbcb4… | 2019-09-20 | 2019-09-20 |
| HASH | be8b6549da925f285307b17c616a010… | 2019-09-20 | 2019-09-20 |
| HASH | d50f5e94f2c417623c5f573963cc777… | 2019-09-20 | 2019-09-20 |
| URL | http://owpqkszz.info | 2019-09-20 | 2019-09-20 |
| DOMAIN | gmzera54l5qpa6lm.onion | 2019-09-20 | 2019-09-20 |
Related Reports
Shares tag: macOS • Same author: Trend Micro
Shares tag: macOS • Shares 4 IOCs
Shares tag: macOS
Shares tag: macOS
Shares tag: macOS