Skip to main content

GMERA Trojan

GMERA is an information stealing trojan used in attacks against cryptotrading platforms and their users.

Threat ID:
CC-3572
Category:
Trojan, Cryptocurrency
Threat Severity:
Low
Threat Vector:
Download
Published:
23 July 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

GMERA is an information stealing trojan used in attacks against cryptotrading platforms and their users.

Affected platforms

The following platforms are known to be affected:

Versions: all

macOS

Threat details

Introduction

First observed in 2019, GMERA is an information-stealing trojan that targets cryptocurrency trading platforms and their users.

Delivery

GMERA is delivered asa ZIP archive file disguised as applications from a number of legitimate cryptocurrency trading platforms. At the time of publication, it is unclear how these spoof applications are distributed, although there are reports suggesting they may be hosted directly through the targeted platforms, raising the possibility that their websites may have been previously compromised.

Activities

When opened, the ZIP will install several component in the background whilst opening a browser window and navigating to the legitimate site.

These components will then attempt to extract user and system information before bas64 encoding it and sending it a command and control server. A number of the components contain additional functionality that does not appear to be working or is reliant on unreachable TOR addresses

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 193.37.212.97
  • 193.37.214.7
  • 85.217.171.87
  • 85.209.88.123

Domains

  • apperdenta[.]com
  • cointrazer[.]com
  • creditfinelor[.]com
  • cupatrade[.]com
  • latinumtrade[.]com
  • licatrade[.]com
  • maccatreck[.]com
  • macstockfolio[.]com
  • nagsrsdfsudinasa[.]com
  • narudina[.]com
  • repbaerray[.]pw
  • stepbystepby[.]com
  • trezarus[.]com
  • trezarus[.]net
Host indicators

Filenames

  • Cointrazer.app/Contents/MacOS/Cointrazer
  • Cointrazer.app/Contents/Resources/nytyntrun.sh
  • Cointrazer.zip
  • Licatrade.app/Contents/MacOS/Licatrade
  • Licatrade.app/Contents/Resources/run.sh
  • Licatrade.zip
  • Stockfolio.app/Contents/MacOS/Stockfoli
  • Stockfolio.app/Contents/Resources/run.sh
  • Stockfolio.zip

Filepaths

  • /tmp/.fil.sh
  • /tmp/loglog
  • $HOME/Library/LaunchAgents/.com.apple.system.plist
  • $HOME/Library/LaunchAgents/.com.apple.upd.plist

Launch Agents

  • com.apple.apps.upd
  • com.apples.apps.upd

SHA1 hashes

  • 2ac42d9a11b67e8af7b610aa59aadcf1bd5ede3b
  • 4c688493958cc7cccfcb246e706184dd7e2049ce
  • 560071ef47fe5417fff62cb5c0e33b0757d197fa
  • 575a43504f79297cbfa900b55c12dc83c2819b46
  • 9c0d839d1f3da0577a123531e5b4503587d62229
  • af65b1a945b517c4d8baaa706aa19237f036f023
  • b8f19b02f9218a8dd803da1f8650195833057e2c
  • da1fda04d4149ebf93756bcef758eb860d0791b0
  • f6cd98a16e8cc2dd3ca1592d9911489bb20d1380

SHA256 hashes

  • 18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7
  • 6fe741ef057d38dd6d9bbe02dacbcb4940dac6c32e0f50a641e73727d6bf60d9
  • 6f48ef0d76ce68bbca53b05d2d22031aec5ce997e7227c3dcb20809959680f11
  • 83df2f39140679a9cfb55f9c839ff8e7638ba29dba164900f9c77bb177796e03
  • be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787
  • efd5b96f489f934f2465a185e43fddf50fcde51b12a8fb91d5d93b09a21706c7
  • faa2799751582b8829c61cbfe2cbaf3e792960835884b61046778d17937520f4

Last edited: 27 July 2020 1:23 pm