MacOS app CoinTicker found quietly installing backdoors on systems

• These backdoors could allow the attacker to gain remote control over affected macs.
• CoinTicker’s website does not have any contact information about the owner and the domain was just registered a few months ago.

A new macOS cryptocurrency trojan named CoinTicker was found installing backdoors on Macs. The application appears to be legitimate and allows users to monitor various cryptocurrency prices and values. The app also adds a small widget to the macOS menu bar, that provides information about changes in cryptocurrency prices.

In the background, the app was secretly installing two backdoors - EvilOSX and EggShell - into infected systems. These backdoors could allow the attacker to gain remote control over affected Macs.

The malicious backdoor was discovered by Malwarebyte’s forum member named 1vladimir.

Infection Vector

CoinTicker connects to a remote host and downloads numerous python and shell scripts which, upon execution downloads the two open-source backdoors. The malicious app downloads the EggShell backdoor from a Github repository and creates a launch agent that could automatically start and run the EggShell backdoor, when a user logs into the infected system.

CoinTicker then downloads the EvilOSX backdoor using a much more complicated script. The shell sends all the required configuration to the backdoor, ensuring that all the configurations are automatically added to the downloaded backdoor. A separate launch agent is created for the EvilOSX backdoor, to launch it automatically when a user logs into the Mac.

CoinTicker’s purpose

Security researchers suggested that CoinTickers primary aim appears to be the distribution of the trojan. Moreover, the CoinTicker’s website does not have any contact information about the owner and the domain was just registered a few months ago, on July 13. However, it is still unknown if CoinTicker was designed to be used for malicious purposes or whether it has been compromised by attackers.

“At first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app. Such attacks have happened multiple times in the past, such as when the Transmission site was hacked (twice) to distribute KeRanger and Keydnap, or when a Handbrake mirror server was hacked to distribute Proton,” Thomas Reed, Malwarebyte’s Director of Mac & Mobile wrote in a blog post. “However, on further inspection, it looks like this app was probably never legitimate, to begin with.

Another interesting feature about the malware is that it does not require any permissions from the user to perform its operations. It can also perform malicious without root permissions.

“Since the malware is distributed through a cryptocurrency app, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins,” Reed added.