Register to stream ATT&CKcon 2.0 October 29-30

CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]

ID: S0369
Type: MALWARE
Platforms: macOS
Contributors: Richie Cyrus, SpecterOps
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface CoinTicker executes a bash script to establish a reverse shell. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL. [1]
Enterprise T1144 Gatekeeper Bypass CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag. [1]
Enterprise T1158 Hidden Files and Directories CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string]. [1]
Enterprise T1159 Launch Agent CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence. [1]
Enterprise T1027 Obfuscated Files or Information CoinTicker initially downloads a hidden encoded file. [1]
Enterprise T1105 Remote File Copy CoinTicker executes a Python script to download its second stage. [1]
Enterprise T1064 Scripting CoinTicker executes a bash script to establish a reverse shell and a Python script to download its second stage. [1]
Enterprise T1065 Uncommonly Used Port CoinTicker establishes outbound connections for command and control on ports 2280 and 1339. [1]

References