An astute Malwarebytes forums user recently noticed that a crypto price tracker application, called CoinTicker, covertly installed backdoors in Mac computers.
A recent blog post from Malwarebytes’ Thomas Reed, Director of Mac & Mobile, explains how a contributor on the Malwarebytes forum going by the name 1vladimir noticed an app called CoinTicker was secretly installing two different backdoors onto computers after download.
Just spent my Sunday afternoon and evening analyzing some new Mac malware and working on a blog post. The life of a security researcher…
(And, of course, I enjoyed every minute of it. )
Post coming soon!
— Thomas Reed (@thomasareed) October 29, 2018
According to Reed, the webpage for application to the program heralds itself as “the best crypto-currency ticket for Mac,” since it lets users check out the prices of selected virtual currencies from the Mac menu bar.
A cryptocurrency "ticker" app has been found to be installing not one but two backdoors. Both backdoors are open-source projects: EvilOSX and EggShell. (Thus the name OSX.EvilEgg… ) #macOS #malwarehttps://t.co/DQxvqgWFys
— Thomas Reed (@thomasareed) October 29, 2018
The website displays information about prices for a number of supported cryptocurrencies, including Bitcoin (BTC) [coin_price], Ethereum, and Monero.
Despite the seemingly innocent intentions on the surface, Reed explains how the application is “actually no good in the background,” since it, “downloads and installs components of two different open-source backdoors” upon launch.
Mac users are certainly not a stranger to crypto-related malware. In early July, Bitcoinist reported on a situation in which MacOS users who were chatting about cryptocurrencies on Slack and Discord were being targeted by attacks in an effort to get them to share malicious scripts.
Utilized to Gain Access to Cryptocurrency Wallets?
Reed explains how the backdoor components are called Eggshell and EvilOSX. He posts several screenshots in the blog post to show how the malicious programs embed themselves into a computer.
Lawrence Abrams of Bleeping Computer says the downloaded backdoors are customized versions of EggShell and EvilOSX that were taken from a now-offline GitHub repository.
Going further, Abrams writes how the EggShell and EvilOSX backdoors automatically start once a user logs into the Mac computer.
Reed notes how EggShell and EvilOEX are known as “broad-spectrum” backdoors that are able to be used for a number of different purposes.
He admits to not knowing for certain what the malware’s creator had in mind, but writes “it seems likely” it was being used to try and get access to a person’s digital currency wallet to steal funds.
Was the Application Even Remotely Legitimate?
According to the blog post, Reed first thought the scenario with CoinTicker was an example of a supply chain attack. This is where a “legitimate app’s website is hacked to distribute a malicious version.”
A Malwarebytes blog post from May 2017 details the story behind a supply chain attack on the Transmission torrent app, where it was hacked first to install the KeRanger ransomware, and then again to install the Keydnap backdoor.
However, Reed also muses the CoinTicker application might never have been legitimate from the start.
He points out how the website’s domain for the app, coin-sticker.com, was registered in mid-July and is not even the same name as the actual application.
Overall, Reed made a point about how the malware does not require anything other than “normal user permissions,” citing the scenario as a
Perfect demonstration that malware does not need such privileges to have high potential for danger.
What do you think about the situation with CoinTicker and the backdoor it has installed on Macs? Have you ever used the application? Let us know in the comments!
Images courtesy of CoinTicker, Shutterstock, Twitter (@thomasareed)