CoinTicker, a Mac app that displays the current price of Bitcoin and other cryptocurrencies in your menu bar, has been found two contain two separate pieces of malware …
Malwarebytes shared the news on its blog, after one of its forum members spotted suspicious behavior.
Coin Ticker Symbol
The CoinTicker app is covertly installing not just one but two different backdoors.
Playing tambola or housie or Bingo, one person has to dedicated to pick coin and call it, now you can use this app to pick coin and call it. Features: - 2 modes, manual or auto - auto mode, next coin calling automatically - auto mode, you can adjust time for calling new coin - manual mode, simple touch on number to call next coin - hide board to show number in big size - design to have all. CoinTicker is a Mac status bar app that provides the latest prices for Bitcoin, Ethereum, Litecoin, Ripple, Dogecoin, Dash and many other altcoins/cryptocurrencies. Set it to pull prices and all currency pairs from your favorite coin exchange and get updates at your own pace (from real-time to. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web App and stored on your computer’s hard drive. Like many Apps, we use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.
Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.
When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.
The app executes [a] shell command to download a custom-compiled version of the EggShell server for macOS.
Analysis of the malware doesn’t reveal exactly what it is up to – it essentially creates backdoors that can be exploited in a wide range of different ways – the company thinks the goal isn’t hard to guess.
Although it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.
At first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app […] However, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named coin-sticker.com. This is close to, but not quite the same as, the name of the app. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13.
Cointracker Info
Malwarebytes says that CoinTicker serves as a warning that nasty things can be done without root privileges.
One interesting note about this malware is that none of it requires anything other than normal user permissions. Root permissions are not needed. There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.
As always, the advice remains to only install apps from sources you trust.
Via TNW. Image: Shutterstock.
FTC: We use income earning auto affiliate links.More.