This time, however, not only did the malware authors wrap the original, legitimate application to include malware they also rebranded the Kattana trading application with new names and copied its original website. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address.
Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. We’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. ESET researchers lure GMERA malware operators to remotely control their Mac honeypots
