Coin Ticker mac is a CryptoCurrency Price Tracker Application that has installed open-source backdoor on Apple macOS of unwary users with CryptoCurrency Price tracker features.
Once the CryptoCurrency Price Tracker is installed, it permits the users to select the crypto currencies of their choice & monitor their prices. In addition to that Coin Ticker mac will add a small descriptive gizmo to the Mac CryptoCurrency Price Tracker menu bar that keeps updating the prices as they change.
However, this Coin Ticker mac Trojan Application stealthily downloads two backdoors in the background to the tainted macOS & gives remote access of the system to an attacker.
Insight into the Trojan Infection
The incidence was first reported by a forum member of the cyber security firm, Malwarebytes on 29th October 2018. When the application is executed, the Trojan connects to a remote host & downloads many malicious python & shell scripts to the infected system. These malign scripts when executed download & install two open-source backdoor namely- EvilOSX and EggShell.
The backdoor applications are then used by the attackers to trace keystrokes, steal sensitive information of the innocent users and execute certain commands on vitiated macOS.
Thomas Reed, Malwarebytes director of Mac and Mobile, wrote in a blog that there are possibilities that the macOS CryptoCurrency Price Tracker Application was outlined to purloin CryptoCurrency keys. He also found that the webpage for this Trojan Application announces itself as the best CryptoCurrency ticket for Mac, as it allows the users to check the prices of various virtual currencies, including Bitcoin, Moenro and Ethereum from the iMac Menu Bar. It further does not ask for other elevated permissions, disguising the users of its malignant behavior.
Mode of Execution of CryptoCurrency Price Tracker
1. As soon as CryptoCurrency Price Tracker Application is executed by the user, the Trojan connects to a remote host & downloads malign scripts written in Python and Shell.
2. The scripts execute a certain command & download customized versions of EggShell and EvilOSX backdoor from a GitHub warehouse.
3. Firstly, EggShell backdoor is downloaded, following which the Trojan creates a launch agent that auto-starts the EggShell backdoor when the user logs in to macOS.
4. It then uses another obscure script to download the EvilOSX backdoor. During download, it sends various configuration options that are automatically added to the backdoor.
5. Following the hazardous download, it will generate a launch agent for EvilOSX backdoor too.
6. The Trojan further gives remote access to the attackers that use these malign backdoor to trace keystrokes, steal personal information & execute commands on the infected iMac.
The macOS users, however, are no stranger to a crypto-oriented malware. Earlier this year, Bitcoinist, a bitcoin news portal, reported that certain Mac users were targeted by the attackers who were chatting about virtual currencies on Slack and Discord. The attackers made an effort to get the users share some malicious scripts on these CryptoCurrency Price Tracker Platforms.
It is still uncertain what precisely the Coin Ticker Mac creators want, as the web site does not contain any contact information. The website only has a download button, which leads Thomas Reed to believe that the shell was precisely made for the distribution of Trojan to gain access to user’s Mac CryptoCurrency Price Tracker wallets & steal coins.
