A new Trojan has been identified by Trend Micro, Trojan.MacOS.GMERA, posing as Stockfolio, a Mac based trading app. The app contains shell scripts that allow it to perform various malicious activities. Two samples have been discovered so far.
The first sample is a ZIP archive containing an app bundle and a hidden encrypted file. The legitimate copy of Stockfolio 1.4.13 is resigned with the malware developer’s digital certificate and included in the archive. When executed, nothing appears amiss, as the app executes. However, the included shell scripts are also executed in the background.
The first script oversees collecting information on the infected system, including username, IP address, apps in /Applications, files in /Documents, files in /Desktop, OS Install date, File system disk space usage, GFX/Display info, WiFi info, and as if that isn’t enough, it also captures screenshots. This collected data is encoded and saved in a hidden file, and then sent to the hacker’s server.
The second script oversees copying additional files, as well as decoding and deleting some others. It also checks for the hidden file containing the server response and uses its content to decrypt a file that Trend Micro suspects contains additional malicious routines.
Using a copy of Stockfolio version 1.4.13 to hide its malicious intent, the second sample contains a much simpler routine. It executes a single script meant to collect usernames and IP addresses from the infected machine and send the information to the attackers’ server.
It also drops several files and creates a simple reverse shell (on ports 25733-25736) to the command and control (C&C) server, allowing hackers to execute shell commands on the infected host. The sample also includes a persistence mechanism, via the creation of a property list (plist) file that creates the reverse shell code every 10,000 seconds.
“Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future,” Trend Micro concludes.