ESET researchers believe that the attack is part of or a renewal of a malicious campaign that was identified by Trend Micro back in September 2019.
Today, one of the biggest reasons for mixed feelings being associated with cryptocurrencies can be attributed to threat actors trying to use the technology to scam innocent users from the very start.
A recent report by ESET has identified yet another such case where malware in the form of malicious cryptocurrency trading applications was found being distributed for Mac devices. The malware is designed to steal the following:
- Browser history & cookies
- Cryptocurrency wallets
- Images captured from the user’s screen serving as spyware as well.
The data collected is then transmitted over HTTP to a C2 server along with also connecting “remote terminal sessions to another C&C server using a hardcoded IP address”.
As for the origins and details of the samples obtained, the researchers point out that it is part of or a renewal of a malicious campaign that was identified by Trend Micro back in September 2019 named GMERA. The differences include a rebranding of the malicious trading application which is a copy of the authentic platform named “Kattana” and also new websites.
As of now, according to ESET’s researchers, there is no clear indication as to how the attackers are targeting users but the real Kattana tweeted back on March 12, 2020, alleging that their users were being approached directly suggesting a social engineering ploy at play.
We’ve come to know that some of our users were approached by the malicious copycat service of Kattana, located at: https://t.co/paSARVJPPZ
Please, be extra mindful about anyone who approaches you for any reason related to crypto-trading. They might be frauds.
— Kattana (@kattanatrade) March 12, 2020
Currently, four different versions of the websites or malicious brands have been observed named Cointrazer, Cupatrade, Licatrade, and Trezarus.
The real Kattana website.
Once the user clicks on the download button, they end up being redirected to download a zip file that contains everything useless and harmful but the real trading application.
A further interesting thing in this is that signed digital certificates were also used by the attackers to enhance the legitimacy of their campaign. Thankfully though these have been removed by Apple as of now.
To conclude, we don’t know the number of users currently that have been affected by this but for those of you who use such applications, it is recommended that not only do you check the reviews of the specific website online before downloading from it but also try to obtain a checksum to verify the package you download. This will help keep you safe from such fake websites. We will keep updating you on any further developments we learn of.