Windows 10 News and info | Forum
August 26, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Mac CryptoCurrency Price Tracker Caught Installing Backdoors  (Read 289 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30378

I Do Windows

WWW Email
« on: October 30, 2018, 02:09:24 AM »

A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker is installing backdoors on the macs of unsuspecting users.

When installed, the CoinTicker application allows users to select various cryptocurrencies whose prices they would like to monitor. It will then add a small informational widget to the macOS menu bar as shown below that updates the prices as they change.

CoinTicker Trojan Application

In the background, though, the application is secretly downloading two backdoors onto the infected mac that allows an attacker to take remote control of the computer.

First spotted by a Malwarebyte's forum member named 1vladimir, when executed the Trojan will connect to a remote host and download numerous python and shell scripts that when executed will download and install two backdoors on to the infected computer.

"When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell." stated Malwarebyte's Director of Mac & Mobile Thomas Reed in a blog post.

The Trojan will download customized versions of the EggShell and EvilOSX backdoors from a Github repository that has since been taken offline.

First, it will download the EggShell backdoor using the following command.

Download EggShell

After it has finished, Reed has stated that it will create a launch agent that automatically starts the EggShell backdoor when a user logs into the mac.

Create Launch Agent

It will then download the EvilOSX backdoor using an obfuscated script, which is partially cleaned up below. When performing the download, it will send various configuration options that will automatically be added to the downloaded backdoor.

Download EvilOSX with Custom Configuration

It too will have a launch agent created so the EvilOSX backdoor starts automatically.

It is not known if the Coin Ticker app was designed purely for malicious purposes or has been compromised by attackers. The website, though, does not have any contact information and just contains a download button, which leads me to believe it is a shell made purely for the distribution of the Trojan.

CoinTicker Web Site


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 17, 2019, 06:50:26 PM