User on Malwarebytes Forum Discovers CoinTicker Crypto Tracking App Targets Mac Computers
According to a blog from the Malwarebytes website, a forum contributor, 1vladimir, noticed that an application called CoinTicker had been installing backdoors onto computer systems after download. The post was written by Thomas Reed, an experienced security researcher, who verified the claims of the Mac malware.
The malicious app had sold itself to unwilling clients as the most useful Mac currency ticker. Its primary function was to allow clients to quickly keep track of various cryptocurrency prices directly from the menu bar of their Mac computers. The website features information about the rates for numerous supported altcoins, from Bitcoin and Ethereum to Monera and many others.
Despite having seemingly innocent intentions that could lure many Mac users, Reed explains that the app was doing some foul stuff in the background. Once you launch the app, it immediately starts downloading and installing various components of two backdoor apps, namely Evil OSX and Eggshell.
That is not the first time that crypto-based malware has affected Mac systems. In July, there were plenty of media reports where Mac users that were discussing cryptocurrencies on Discord and Slack were targeted to entice them into sharing malicious scripts.
Effects of the Recent Malware Attack
In his post, Reed carefully explains the effect of the various backdoor apps, EvilOSX and Eggshell. He describes the process that the two malicious programs use to embed themselves into the computer. According to Lawrence Abrams, a security expert, these backdoors are the customized editions of the two apps that were obtained from a GitHub repository that is now offline. He also added how the two backdoors automatically start the moment a Mac user locks into their computer.
EvilOSX and Eggshell are the broad-spectrum types of backdoors that can be deployed for numerous purposes. Reed commented that while he did not know what the creator of the malware was thinking, it appears that the aim was to try and access a user’s virtual currency wallet in the hopes of stealing funds.
Did the Crypto Ticker Work?
According to a thorough analysis of the malware, Reed initially that the case was an instance whereby the supply chain of the main app was attacked. In this scenario, the website for the legitimate app is hacked and used to distribute malicious versions of the legitimate app. That supply chain technique is what happened to Transmission’s torrent application back in May 2017, which was hacked to install ransomware and a backdoor malware.
Nevertheless, Reed said that this particular CoinTicker app was never legitimate. Even the website domain for this app was recently registered in July using a different name from the app itself, which is quite strange.
In conclusion, Reed noted that this type of malware doesn’t need anything apart from the standard Mac user permissions. It perfectly demonstrates that even without administrator privileges, malware apps can still pose a high risk for your Mac system, hence the need to be extremely careful before downloading and installing any apps.