CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]

ID: S0369
Type: MALWARE
Contributors: Richie Cyrus, SpecterOps

Platforms: macOS

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceCoinTicker executes a bash script to establish a reverse shell.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationCoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[1]
EnterpriseT1144Gatekeeper BypassCoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.[1]
EnterpriseT1158Hidden Files and DirectoriesCoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].[1]
EnterpriseT1159Launch AgentCoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.[1]
EnterpriseT1027Obfuscated Files or InformationCoinTicker initially downloads a hidden encoded file.[1]
EnterpriseT1105Remote File CopyCoinTicker executes a Python script to download its second stage.[1]
EnterpriseT1064ScriptingCoinTicker executes a bash script to establish a reverse shell and a Python script to download its second stage.[1]
EnterpriseT1065Uncommonly Used PortCoinTicker establishes outbound connections for command and control on ports 2280 and 1339.[1]

References