Backdoors Installed via macOS Cryptocurrency App

1vladimir of the Malwarebytes community has discovered that CoinTicker, a macOS app, is being used as an entry point for malware. CoinTicker is a fully functional and customizable app that displays cryptocurrency prices to users through a widget on a desktop menu bar. Discretely in the background, however, CoinTicker sets up two backdoors that grant remote access: EvilOSX and EggShell. When CoinTicker is launched, a command is issued to download python and shell scripts from a GitHub repository. A script called .info.py opens up a reverse shell connection to a C2 server at seednode3[dot]parsicoin[dot]net, downloads EggShell, and creates a user launch agent that starts EggShell when the user logs in. A similar process takes place to setup a backdoor with EvilOSX. Currently, it appears as though CoinTicker was created with malicious intent, rather than hijacked by a threat actor to distribute the malware. Researchers believe its purpose may be to steal cryptocurrency credentials. The NJCCIC recommends users of CoinTicker review the Malwarebytes article and uninstall the application. Users are encouraged to take caution before downloading apps onto their device, even those available in official app stores, and refrain from granting apps unnecessary permissions or those that do not align with the application’s intended purpose.

AlertNJCCICmacOS, Cryptocurrency