According to a blog on the Malwarebytes website, a forum contributor, 1vladimir, noted that an application called CoinTicker had installed backdoors on computer systems after downloading. The post was written by Thomas Reed, an experienced security researcher, who verified the claims of Mac malware.
The malicious app had been sold to unwanted customers as the most useful currency ticker for Mac. Its main function was to allow customers to quickly track the various cryptocurrency prices directly from their computer's menu bar. Mac. The website offers information on the rates for numerous supported altcoins, from Bitcoin and Ethereum to Monera and many others.
Despite seemingly innocent intentions that could attract many Mac users, Reed explains that the app was doing some dirty things in the background. Once the app is launched, it immediately begins to download and install various components of two backdoor apps, namely Evil OSX and Eggshell.
It is not the first time that cryptographic malware has hit Mac systems. In July, there were many reports in the media where Mac users who were discussing cryptocurrencies on Discord and Slack aimed to induce them to share malicious scripts.
Effects of the recent malware attack
In his post, Reed carefully explains the effect of the various backdoor apps, EvilOSX and Eggshell. Describes the process that the two malicious programs use to embed on the computer. According to Lawrence Abrams, a security expert, these backdoors are the personalized editions of the two apps obtained from a GitHub repository that is now offline. He also added how the two backdoors start automatically when a Mac user hangs on his computer.
EvilOSX and Eggshell are the broad spectrum backdoor types that can be implemented for many purposes. Reed commented that while he did not know what the malware creator was thinking, it seems that the goal was to try to access a user's virtual wallet in hopes of stealing funds.
Did the crypto ticker work?
According to an in-depth analysis of the malware, Reed initially believed that the case was an instance where the main app supply chain was attacked. In this scenario, the legitimate app website is hacked and used to distribute malicious versions of the legitimate app. That supply chain technique is what happened in Torrent in May 2017, which was hacked to install ransomware and backdoor malware.
However, Reed said that this particular CoinTicker app was never legitimate. Also the website domain for this app was recently registered in July using a different name from the app itself, which is rather strange.
In conclusion, Reed noted that this type of malware does not need anything other than standard Mac user permissions. It proves perfectly that even without administrator privileges, malware apps can still pose a high risk for your Mac system, hence the need to be extremely careful before downloading and installing any app.