CoinTicker
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
CoinTicker executes a bash script to establish a reverse shell.(Citation: CoinTicker 2019) |
| .004 | Command and Scripting Interpreter: Unix Shell |
CoinTicker executes a bash script to establish a reverse shell.(Citation: CoinTicker 2019) |
||
| .006 | Command and Scripting Interpreter: Python |
CoinTicker executes a Python script to download its second stage.(Citation: CoinTicker 2019) |
||
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.(Citation: CoinTicker 2019) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].(Citation: CoinTicker 2019) |
| Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.(Citation: CoinTicker 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.