Author Topic: Mac CryptoCurrency Price Tracker Caught Installing Backdoors  (Read 689 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Mac CryptoCurrency Price Tracker Caught Installing Backdoors
« on: October 30, 2018, 02:09:24 AM »


A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker is installing backdoors on the macs of unsuspecting users.

When installed, the CoinTicker application allows users to select various cryptocurrencies whose prices they would like to monitor. It will then add a small informational widget to the macOS menu bar as shown below that updates the prices as they change.


CoinTicker Trojan Application

In the background, though, the application is secretly downloading two backdoors onto the infected mac that allows an attacker to take remote control of the computer.

First spotted by a Malwarebyte's forum member named 1vladimir, when executed the Trojan will connect to a remote host and download numerous python and shell scripts that when executed will download and install two backdoors on to the infected computer.

"When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell." stated Malwarebyte's Director of Mac & Mobile Thomas Reed in a blog post.

The Trojan will download customized versions of the EggShell and EvilOSX backdoors from a Github repository that has since been taken offline.

First, it will download the EggShell backdoor using the following command.


Download EggShell

After it has finished, Reed has stated that it will create a launch agent that automatically starts the EggShell backdoor when a user logs into the mac.


Create Launch Agent

It will then download the EvilOSX backdoor using an obfuscated script, which is partially cleaned up below. When performing the download, it will send various configuration options that will automatically be added to the downloaded backdoor.


Download EvilOSX with Custom Configuration

It too will have a launch agent created so the EvilOSX backdoor starts automatically.

It is not known if the Coin Ticker app was designed purely for malicious purposes or has been compromised by attackers. The website, though, does not have any contact information and just contains a download button, which leads me to believe it is a shell made purely for the distribution of the Trojan.


CoinTicker Web Site

source