Forum user Malwarebytes discovers a Crypto App that is secretly installed on Macs systems.
An astute user of the Malwarebytes forum recently reported that an application to monitor the prices of cryptocurrencies called CoinTicker silently installs malware on Mac computers.
A recent post from Malwarebytes by Thomas Reed, director of Mac & Mobile, explained how a contributor to the forum under the nickname of 1vladimir reported that the app called CoinTicker secretly installed in two different processes of computers after being downloaded a kind of malicious virus .
According to Reed, the program’s application page calls itself “the best crypt price app for Mac,” which allows users to check the prices of virtual currencies selected from the Mac menu bar. “An app for Monitoring the prices of cryptocurrencies has been found by installing malicious scripts twice. Both processes are open source projects: EvilOSX and EggShell. “
The information that the website shows is that CoinTicker is an app on the prices of a number of supported cryptocurrencies such as Bitcoin, Ethereum and Monero. Discarding the apparent innocent intention, Reed explains how the application downloads and installs components from two different open sources until they start.
Mac users are certainly not familiar with malware related to crypts. In July of this year a situation in which users of that operating system were chatting about cryptocurrencies in Slack and Discord were objects of attacks in an effort to show them how malicious scripts work on the Mac.
Reed explained how the components called EggShell and EvilOSX were installed. He posted different captures on the blog to show how malicious programs reproduce themselves on a computer.
Lawrence Abrams of Bleeping Computer said that the virus downloads are improved versions of EggShell and EvilOSX that were taken from an offline Github repository. Moreover, Abrams wrote how the EggShell and EvilOSX protectors automatically start once the user logs in on their computer.
Reed noticed how EggShell and EvilOSX are a kind of spectrum on board that is capable of being used for different purposes. He admitted not knowing for sure that he had in mind the creator of the malware, but wrote that it looks like something that is being used to try to gain access to users’ wallets to steal their funds.
According to the post, Reed first thought of the scenario that CoinTicker was an example of an attack on the supply chain. Something like a legitimate app where your website is hacked to distribute a malicious version.
A post on the Malwarebytes blog of May 2017 details the story behind supply chain attacks in the Torrent app broadcast, where it was hacked first to install the KeRanger ransoware, and then again to install the Keydnap desktop version. However, Reed also suspects that the CoinTicker application has never been legitimate from the start.
The point is that the domain of the page of the app, coin-sticker.com was registered in mid-July and does not have the same name as the current application.
Moreover, Reed emphasizes how malware does not require any other permission than that of a normal user, citing the scenario as a “perfect demonstration that malware does not require privileges for a potential attack.”
Disclaimer: InfoCoin is not affiliated with any of the companies mentioned in this article and is not responsible for their products and / or services. This press release is for informational purposes information does not constitute investment advice or an offer to invest.