Discovered in October 2018 by Malwarebytes community member 1vladmir, CoinTicker is a macOS malware that masquerades as a fully functional and fully customizable cryptocurrency price-monitoring application. It displays up-to-date cryptocurrency prices to users through a widget on the desktop menu bar. Because this app is specifically geared towards cryptocurrency users, it is believed the aim of this malware is to gain access to users’ cryptocurrency wallets. The app is supplied by a domain called coin-sticker-dot-com and was most likely created with malicious intent, rather than the result of a supply chain attack.
When the application is launched, two backdoors are installed on the computer: EvilOSX and EggShell. The malware first issues a shell command to download a custom version of EggShell from a now-offline GitHub repository belonging to user “youarenick.” An encoded file named .info.enc is downloaded into /private/tmp/ and decoded to reveal a Python file called .info.py. Once executed, the .info.py script will perform a few functions: open a reverse shell connection to a command and control server (C2) at seednode3[dot]parsicoin[dot]net, download EggShell binary in /tmp/espl, and create a user agent named .espl.plist which launches the EggShell backdoor whenever a user logs onto the computer. A folder named .[random string] containing a python script called [random string] is created in the user’s Containers folder. The python script can be extracted to reveal that it is really an EvilOSX backdoor script called bot.py. Another user agent, com.apple.[random string].plist, is created to keep this script up and running. At no point in the process is root privilege asked for, allowing the malware to run discretely in the background.
Malwarebytes provides technical details and the indicators of compromise (IoCs) on CoinTicker here.