Skip to content

Trojanized Mac cryptocurrency app collects wallets and screenshots, ESET Research discovers

BRATISLAVA, MONTREAL – ESET researchers have recently discovered websites distributing trojanized cryptocurrency trading applications for Mac computers. These were legitimate apps wrapped with GMERA malware, whose operators used them to steal information, such as browser cookies, cryptocurrency wallets and screen captures. In this campaign, the legitimate Kattana trading application was rebranded – including setting up copycat websites – and the malware was bundled into its installer. ESET researchers saw four names used for the trojanized app in this campaign: Cointrazer, Cupatrade, Licatrade and Trezarus.

“As in previous campaigns, the malware reports to a Command & Control server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address,” says ESET researcher Marc-Etienne M.Léveillé, who led the investigation into GMERA.

ESET researchers have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, the legitimate Kattana site posted a warning suggesting that victims are approached individually to lure them to download a trojanized app, thus pointing to social engineering. Copycat websites are set up to make the bogus application download look legitimate. The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.

In addition to the analysis of the malware code, ESET researchers have also set up honeypots (research computers) and lured GMERA malware operators to remotely control the honeypots. The researchers’ aim was to reveal the motivations behind this group of criminals. “Based on the activity we have witnessed, we can confirm that the attackers have been collecting browser information, such as cookies and browsing history, cryptocurrency wallets and screen captures,” concludes M.Léveillé.

For more technical details on the latest GMERA malicious campaign, read the full blogpost, “Mac cryptocurrency trading application rebranded, bundled with malware,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.


About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.



Click one of our contacts below to chat on WhatsApp