It then saves the decrypted file to /tmp/appcode. Using the contents of the ‘.pass’ file as the key, the malware variant will decrypt /private/var/tmp/appcode, which is encrypted using AES-256-CBC. app file then check if the file ~/Library/Containers/.pass exists. app file, executes it, then drops the following:
app file, which is the hidden file in the zip bundle that comes with Stockfoli.app
The stock shell script will copy Stockfoli.app/Contents/Resources/appcode to /private/var/tmp/appcode. If a successful response is sent from the URL, it will write the response in another hidden file ~/Library/Containers/.pass
It then uploads the file to hxxps:///panel/uploadphp using the collected username and machine serial number as identifiers. It then encodes the collected information using base64 encoding and saves the collected information in a hidden file: /tmp/.info. The plugin shell script collects the following information from the infected system: The main Mach-O executable will launch the following bundled shell scripts in the Resources directory:
interface displayed when the malware app bundle is executed However, unbeknownst to the user, the malware variant is already performing its malicious routines in the background.įigure 4. When the app is executed, an actual trading app interface will appear on-screen. Comparison of the app bundle folder structure between the malware variant (top) and the legitimate app (version 1.5, bottom). The first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the legitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate.Ĭomparing it to the Resources directory of the current version (1.5) found on the Stockfolio website revealed a number of differences, as shown in the figure below.įigure 3. Note that the app bundle is missing the “o” at the end, whereas the legitimate app is called Stockfolio. The fake app presents itself as legitimate to trick users, but we found that it contained several malicious components.įigure 2.
The initial sample we analyzed was a zip archive file (detected as ) that contained an app bundle ( Stockfoli.app) and a hidden encrypted file (.app). The suspicious shell script which was flagged by our system To verify that the behavior was indeed malicious, we sourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked detections from other major security vendors at the time of writing).įigure 1. At first glance, it was challenging to directly identify its malicious behavior because the shell script references other files such as AppCode. We found the first sample (detected as ) while checking suspicious shell scripts that were flagged by our machine learning system. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually incorporates a persistence mechanism. We found two variants of the malware family. We recently found and analyzed an example of such an app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for unsuspecting victims to steal their personal data. Intel, 64-bit processor.Unlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker - a move which often meant additional fees for would-be traders - the rise of trading apps placed the ability to trade in the hands of ordinary users. Fixed stock loading issues for certain users. Track open positions in your portfolio and get useful stats, such as unrealized capital gains. Automatically keep up to date on the latest news (RSS, StockTwits and Twitter) relating your stocks.
Watch lists allow you to monitor in realtime the stocks you own, or intend to buy. Get detailed charts (line and candlestick) on the price history of your stock. Track equities from around the world using realtime quotes. It is extremely easy to set up and the best way to manage and follow your investment portfolio. Stockfolio is an investment app for macOS that allows you to research and track interesting stocks.