- The application CoinTicker is capable of keylogging, data theft and execution of arbitrary commands
- This an example of a supply chain attack, where a legitimate app’s website is hacked to distribute a malicious version
The Trojan playacting CoinTicker, a MacOS cryptocurrency ticker is stealthily installing backdoors on Macs. When installed, CoinTicker enables users to select the different cryptocurrencies whose prices they would like to monitor but the Trojan downloads and installs components of two different open-source backdoors upon launch.
Malwarebytes’ director of Macs and Mobiles Thomas Reed explained in a blog post that a contributor on the forum going by the name 1vladmir discovered the deception.
The Trojan, when executed, connects to a host that downloads several shell and python scripts that download and install backdoors to the infected computers and allows the attacker to take remote control of the computer. The application was capable of keylogging, data theft, execution of arbitrary commands, and more. Thomas Reed said in the blog post:
“When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.”
According to Malwarebytes, the Application calls itself “the best crypto-currency ticket for mac” because it allows users to check the prices of selected digital currencies from their Mac menu bar. The website shows information on the number of different cryptocurrencies like Bitcoin, Ethereum, and Monero.
Mac users, historically a lot safer from viruses and malware than Windows users, have of late been the target of cryptocurrency related malware. For instance, in July, MacOS users chatting about digital currencies on Discord and Slack became the target of attacks trying to have them share malicious scripts.
Suply Chain Attack
Thomas Reed said in the blog post that the components of Eggshell and EvilOSX, once embedded into the computer, start automatically as soon as a user logs into their mac computer. The two, which are known as “broad-spectrum” backdoors can be used for different purposes. While admitting he doesn’t know for sure who could be behind the malicious application, Reed suggests “it seems likely” the malware was being used to try and access people’s digital currency wallets and steal their funds.
It is not yet clear whether the CoinTicker App was specifically designed as a Trojan or it has been infiltrated by attackers. The website doesn’t contain any contact information and only has a download button, which makes it look suspicious. Thomas Reed’s blog post believes it is an example of a supply chain attack, where a “legitimate app’s website is hacked to distribute a malicious version.”