Mac Malware

A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker is installing backdoors on the macs of unsuspecting users.

When installed, the CoinTicker application allow users to select various cryptocurrencies whose prices they would like to monitor. It will then add a small informational widget to the macOS menu bar as shown below that updates the prices as they change.

Coin Ticker Mac Application
CoinTicker Trojan Application

In the background, though, the application is secretly downloading two backdoors onto the infected mac that allows an attacker to take remote control of the computer.

First spotted by a Malwarebyte's forum member named 1vladimir, when executed the Trojan will connect to a remote host and download numerous python and shell scripts that when executed will download and install two backdoors on to the infected computer.

"When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell." stated Malwarebyte's Director of Mac & Mobile Thomas Reed in a blog post.

The Trojan will download customized versions of the EggShell and EvilOSX backdoors from a Github repository that has since been taken offline.

First it will download the EggShell backdoor using the following command.

Download EggShell
Download EggShell

After it has finished, Reed has stated that it will create a launch agent that automatically starts the EggShell backdoor when a user logs into the mac.

Create Launch Agent
Create Launch Agent

It will then download the EvilOSX backdoor using an obfuscated script, which is partially cleaned up below. When performing the download, it will send various configuration options that will automatically be added to the downloaded backdoor.

Download EvilOSX
Download EvilOSX with Custom Configuration

It too will have a launch agent created so the EvilOSX backdoor starts automatically.

It is not known if the Coin Ticker app was designed purely for malicious purposes or has been compromised by attackers. The web site, though, does not have any contact information and just contains a download button, which leads me to believe it is a shell made purely for the distribution of the Trojan.

CoinTicker Web Site
CoinTicker Web Site

Related Articles:

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

The Few Privileged North Koreans Are Savvy Scammers

Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers