#ĭomain Name: cointicker.io Registry Domain ID: d13ae308e8b44792ac7c7836077664f9-DONUTS Registrar WHOIS Server: Registrar URL: Updated Date: Creation Date: Registry Expiry Date: Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: +49 6894 9396 850 Domain Status: clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: c/o Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: VA Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. # ASNumber: 15169 ASName: GOOGLE ASHandle: AS15169 RegDate: Updated: Ref: OrgName: Google LLC OrgId: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US RegDate: Updated: Ref: OrgAbuseHandle: ABUSE5250-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-65 OrgAbuseEmail: OrgAbuseRef: OrgTechHandle: ZG39-ARIN OrgTechName: Google LLC OrgTechPhone: +1-65 OrgTechEmail: OrgTechRef: RTechHandle: ZG39-ARIN RTechName: Google LLC RTechPhone: +1-65 RTechEmail: RTechRef: # ARIN WHOIS data and services are subject to the Terms of Use # available at: # If you see inaccuracies in the results, please report at # Copyright 1997-2018, American Registry for Internet Numbers, Ltd. There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.Īs always, the advice remains to only install apps from sources you trust.# ARIN WHOIS data and services are subject to the Terms of Use # available at: # If you see inaccuracies in the results, please report at # Copyright 1997-2018, American Registry for Internet Numbers, Ltd. One interesting note about this malware is that none of it requires anything other than normal user permissions. Malwarebytes says that CoinTicker serves as a warning that nasty things can be done without root privileges. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. This is close to, but not quite the same as, the name of the app. ![]() First, the app is distributed via a domain named. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.Īt first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app However, on further inspection, it looks like this app was probably never legitimate to begin with. The app executes shell command to download a custom-compiled version of the EggShell server for macOS.Īnalysis of the malware doesn’t reveal exactly what it is up to – it essentially creates backdoors that can be exploited in a wide range of different ways – the company thinks the goal isn’t hard to guess.Īlthough it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |