Malicious CoinTicker app used to install backdoor on Macs

Malicious CoinTicker app

A security researcher spotted bad actors were using a malicious app called CoinTicker to install backdoors on systems running MacOS. 

The CoinTicker app appeared at first to be a legitimate app used to display an icon, pricing and other information on a wide variety of cryptocurrencies such as Bitcoin, Etherium and Monero.

According to Malwarebytes, the app actually downloads and installs two different open-source backdoors, EvilOSX and EggShell.

Malwarebytes described the issue in recent blog post:

“The first part of the command downloads an encoded file from a Github page belonging to a user named ‘youarenick’ and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.”

Malwarebytes

The python script then opens up a reverse shell connection to command and control system. It then downloads an EggShell malicious app, creates and runs a shell script used to establish a reverse shell. 

The malicious software also creates a folder within the user’s Containers folder that contains a Python script. Once extracted, the script appears to be the bot.py script, part of the EvilOSX backdoor developed by Github user Marten4n6.

“This script has been customized to cause the backdoor to communicate with a server at 185.206.144.226 on port 1339. The malware also creates a user launch agent named com.apple.EOFHXpQvqhr.plistdesigned to keep this script running,” Malwarebytes added. 

Malwarebytes says the hacker’s motive is not entirely clear, although the backdoors could be used for multiple purposes such as gaining access to cryptocurrency wallets in order to steal cryptocurrency coins.