Light Dark
September 23, 2019 By David Bisson 2 min read

A new Mac malware family is masquerading as a legitimate trading app to steal victims’ data and then upload it to a website.

Trend Micro found two samples of the Mac malware family, detected as Trojan.MacOS.GMERA.A, both disguised as the Stockfolio trading app.

The first sample arrived as a .ZIP archive file that contained a copy of the Stockfolio app modified with the attackers’ own digital certificate. When executed, the variant displaced the trading app interface while it performed its malicious functions in the background. These capabilities collected users’ system information, encoded it, saved it in a hidden file and then uploaded it to hxxps://appstockfolio.com/panel/upload[.]php, a domain that was active in January and February.

The researchers used the digital certificate of the first malware sample to detect the second version. That iteration also contained an embedded copy of the Stockfolio app that used the attackers’ digital certificate, and launched the app in a similar way to disguise its malicious intents. Even so, the variant came with a simplified routine and established persistence by creating a property list (plist) file.

A Summer of Mac Malware Campaigns

Trojan.MacOS.GMERA.A isn’t the only Mac malware family that has made headlines in 2019. In June, Malwarebytes detected a threat called Bird Miner that hid within the cracked installer for Ableton Live music production software to infect Mac users with a cryptocurrency miner. Around the same time, Intego spotted malware called CrescentCore posing as Flash Player and using several evasion techniques to avoid detection. Shortly thereafter, Intego observed a threat named NewTab attempting to inject itself into the Safari browser.

How to Defend Against Trojan.MacOS.GMERA.A

Security professionals can help defend against Trojan.MacOS.GMERA.A and similar threats by creating a security awareness training program that educates employees on the tech they’re using and encourages them to download apps only from trusted developers on official app marketplaces. Security leaders should also consider investing in a mobile device management (MDM) solution that applies to internet of things (IoT) products and integrates with existing security tools.

 |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature