CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]

ID: S0369
Type: MALWARE
Platforms: macOS
Contributors: Richie Cyrus, SpecterOps
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

CoinTicker executes a bash script to establish a reverse shell.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[1]

Enterprise T1144 Gatekeeper Bypass

CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.[1]

Enterprise T1158 Hidden Files and Directories

CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].[1]

Enterprise T1159 Launch Agent

CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.[1]

Enterprise T1027 Obfuscated Files or Information

CoinTicker initially downloads a hidden encoded file.[1]

Enterprise T1105 Remote File Copy

CoinTicker executes a Python script to download its second stage.[1]

Enterprise T1064 Scripting

CoinTicker executes a bash script to establish a reverse shell and a Python script to download its second stage.[1]

Enterprise T1065 Uncommonly Used Port

CoinTicker establishes outbound connections for command and control on ports 2280 and 1339.[1]

References