Detected by Trend Micro products as Trojan.MacOS.GMERA, the software poses as the Mac-based trading app Stockfolio, but contains shell scripts that allow it to perform malicious activities. To date, two malware samples were discovered, revealing an evolution of the threat.
The first sample is a ZIP archive file containing an app bundle (Stockfoli.app) and a hidden encrypted file (.app). A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive.
When executed, the threat displays a trading app interface on the screen, but it also executes bundled shell scripts in the Resources directory, the researchers discovered.