Mac users targeted by cryptocurrency scam – what to do now

person using a macbook
(Image credit: Shutterstock)

Hackers are targeting Mac users with fake cryptocurrency trading applications in order to harvest cryptocurrency from their wallets, according to one of the world's biggest antivirus companies.

Security researchers at ESET have warned of “recently discovered websites distributing malicious cryptocurrency trading applications for Mac.”

ESET claims that cybercriminals are using the compromised cryptocurrency applications to “steal information such as browser cookies, cryptocurrency wallets and screen captures.”

To trick users into downloading the malware, hackers are offering rebranded versions of the legitimate cryptocurrency trading terminal Kattana. 

In total, ESET has discovered four rebranded apps that used the following names: Cointrazer, Cupatrade, Licatrade and Trezarus.

“Copycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know Kattana, the websites do look legitimate,” wrote ESET's Marc-Etienne M.Léveillé in a blog post. “The download button on the bogus sites is a link to a ZIP archive containing the Trojanized application bundle.”

  • More: Get an extra layer of security for your Apple with a Mac VPN

Bundled Trojan 

Although these fake apps allow users to trade cryptocurrency, what they won’t realise is that the software also comes with an installer of the Gmera malware.

“Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019,” wrote ESET.

“As in the previous campaigns, the malware reports to a C&C [command-and-control] server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address."

However, the researchers noted that “not only did the malware authors wrap the original, legitimate application to include malware”, but they “rebranded the Kattana trading application with new names and copied its original website.”

Social engineering

ESET doesn’t know exactly how the perpetrators have been distributing this malware, but suggested that social engineering is a possibility. 

It said: “We have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, Kattana posted a warning suggesting that victims were approached individually to lure them into downloading a Trojanized app. We couldn’t confirm that it was linked to this particular campaign, but it could very well be the case.”

Jake Moore, a security specialist at ESET, told Tom's Guide: "Regardless of what device or OS you use, we are seeing social engineering increase and with great force. After recent events, this is proving to be extremely damaging too.

"Furthermore, many people still wrongly assume macOS are somewhat immune to malware on their Apple devices and even smugly do not use any antivirus protection. 

"Users must never become complacent to any sort of attack and remember to always put their IT security first. Software based protection is vital but user awareness is equally important and everyone is reminded to urge caution with any unsolicited emails."

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!