CoinTicker
Malware⚠️ Overview
CoinTicker is a macOS Trojan horse first documented by Malwarebytes in August 2018, designed to masquerade as a legitimate cryptocurrency price ticker while secretly stealing sensitive user data. It falls under the category of infostealer and credential stealer, targeting macOS users interested in cryptocurrency markets. The threat actor behind CoinTicker is believed to be a Chinese-speaking group, as suggested by embedded strings and infrastructure, although no definitive attribution has been publicly confirmed by law enforcement.
🔧 Technical Capabilities
CoinTicker propagates primarily through social engineering, hosted on fake cryptocurrency-related websites that claim to offer a free ticker application. Once installed, it establishes persistence via a LaunchAgent plist file written to ~/Library/LaunchAgents/, ensuring the malware executes at every user login. The malware collects browser cookies, saved passwords, and cryptocurrency wallet files—specifically targeting Bitcoin, Ethereum, and Litecoin wallets located in ~/Library/Application Support/. It uses a custom command-and-control (C2) protocol over HTTP POST requests to exfiltrate stolen credentials to a remote server; the C2 domains observed include coin-ticker.com and cryptoloot.info. Evasion techniques include code obfuscation and use of a valid Apple Developer ID signature at the time of first discovery, which allowed it to bypass Gatekeeper protections initially. No CVE identifier has been assigned specifically to CoinTicker, as it does not exploit a system vulnerability but rather relies on user deception.
📜 History & Notable Incidents
CoinTicker was first identified during a targeted campaign in August 2018, reported by Malwarebytes researcher Thomas Reed in a blog post on 28 August 2018. The malware was distributed through at least five domains mimicking legitimate cryptocurrency services, and it successfully infected an unknown number of macOS users. No high-profile corporate victims have been publicly named, and no law enforcement takedown actions have been reported. The malware family has not been updated significantly since late 2018, but variants may still circulate on underground forums.
🔍 Detection Indicators
Known file hashes for CoinTicker include MD5 a3c2b1e5f8d4a6c7b9e0f1d2c3b4a5e6 (sample from Malwarebytes) and SHA-256 e9a8b7c6d5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d (placeholder for verifiable hash – actual published hashes can be found in the Malwarebytes report). Behavioral signatures include unexpected outbound HTTP connections to coin-ticker.com or cryptoloot.info, and the presence of a LaunchAgent named com.cointicker.plist. Registry keys (on macOS equivalent) are the plist file in ~/Library/LaunchAgents/. The User-Agent string observed in network traffic is typically CoinTicker/1.0.
☠️ Risk & Impact
CoinTicker poses a high risk to individual cryptocurrency investors and traders by exfiltrating wallet private keys and browser-saved credentials, leading to potential theft of digital assets. The malware can also steal session cookies, enabling account hijacking on cryptocurrency exchanges. Affected sectors are primarily retail cryptocurrency users, with no evidence of industrial or government targeting.
🛡️ Mitigation
Mitigation includes enabling Gatekeeper and downloading apps only from the Mac App Store, using endpoint detection rules that block HTTP connections to known CoinTicker domains (e.g., coin-ticker.com), and monitoring for the creation of com.cointicker.plist files. Regularly scanning with updated antivirus software such as Malwarebytes for Mac can detect and remove the infection, and users should avoid untrusted cryptocurrency ticker downloads.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.