Trojan.MacOS.GMERA
Trojan.MacOS.GMERA is a backdoor Trojan that can modify your file system automatically, download other threats or collect information. Its initial configuration emphasizes harvesting system stats and content in high-value locations like the desktop. Users of the Mac OS devices should protect themselves by keeping appropriate anti-malware products for removing Trojan.MacOS.GMERA and avoid downloading unofficial installers for the Stockfolio application.
Trading Your Computer's Safety for Playing Stockbroker
The recent discovery of a new family of backdoor Trojans is revealing itself as having a substantial degree of psychological manipulation. Although the Mac OS-based Trojan, Trojan.MacOS.GMERA, conducts attacks with conventional backdoor pretensions, it does so under cover of another, well-known application: Stockfolio. This sleight of hand is more than just superficial, as malware experts are confirming that Trojan.MacOS.GMERA circulates with an edited and working version of that stock-trading software.
Samples of Trojan.MacOS.GMERA include components that name the program as being 'Portfoli' without the last letter, although other aspects, such as its interface, are identical. This identity theft is possible due to the threat actor's bundling Trojan.MacOS.GMERA with a corruptedly-modified variant of the program, which uses (a currently-defunct) different certificate and distracts victims from the Trojan's background actions. There are at least two variants of Trojan.MacOS.GMERA, as well: one which uses multiple shell scripts for obfuscating itself, and a second, simpler variant that includes long-term system persistence.
Whether or not it's persistent or a one-time-only threat, Trojan.MacOS.GMERA can run shell commands that it receives from its server. It also collects information that includes more than default statistics like the username or IP address – it captures screenshots of the monitor and tracks any files in locations like the desktop or the documents folder. While malware researchers are hesitant to declare the overall goals of its campaign, it does drop other components with unexplored capabilities.
Keeping an Eye on the Market without Losing Your Security in the Process
It's possible that Trojan.MacOS.GMERA is selling its threat-installing and data-harvesting capabilities to other threat actors. So far, victims are reporting varied experiences from Trojan.MacOS.GMERA infections, including changes to Web-browsing extensions, fake AV scans, and problems accessing their security tools. However, malware researchers haven't found any variants of Trojan.MacOS.GMERA for other OSes like Windows, or ones using disguises besides the bundled and altered version of Stockfolio.
Updates to Trojan.MacOS.GMERA may provoke additional issues, and the Trojan's campaign is adjusting its C&C network infrastructure actively, for unknown reasons. Mac users should doublecheck all installed programs for invalid certificates, which are a traditional sign of a fraudulent or corruptedly-modified application. Updated anti-malware solutions should remove Trojan.MacOS.GMERA automatically, although they can't return any already-collected information.
As new criminals adapt to modern-day Internet usage by changing their disguises appropriately, users must prepare for attacks that are relevant to their interests and needs. Having a stock-browsing application is a bright idea unless one's interest in finance outstrips one's ability to watch for signs of trickery from backdoor attackers like Trojan.MacOS.GMERA.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.