Using a legitimate application to hide malware is not a new phenomenon. One of the latest campaigns involves a cryptocurrency trading application rebranded under several names. Using names such as Cointrazer, Cupatrade, Licatrade, and Trezarus, the Kattana cryptocurrency trading application has been repurposed for nefarious purposes such as stealing browser cookies, cryptocurrency wallets, and screen captures. The company behind the legitimate application published a warning about lures to downloading the trojanized application. The threat actors behind the campaign have set up copycat websites to make their applications look legitimate. The websites contain a ZIP archive which wraps the trojanized program. Researchers analyzed the Licatrade malware and found it straightforward. Other samples have the same basic functionality. Last-modified dates on the files seem to indicate the campaigns started on or around that date, April 15, 2020. The malware sends a simple report to a C2 server over HTTP and connects to a remote host via TCP which provides a remote shell to the attacker. Persistence is accomplished via Launch Agent. Reverse shells are connected through different ports dependent on how the shells were started. The TCP connections stay open and await further commands. In the analysis, operators manually inspected the machine after a period of time, which the researchers were able to observe. If a compromised system is deemed interesting, exfiltration begins by compressing files and uploading them to another server over HTTP.
Exposure of sensitive data