OSX.EvilEgg

Short bio

OSX.EvilEgg is Malwarebytes’detection name for a macOs app named CoinTicker that installs two different backdoors.

Symptoms

The CoinTicker app, on the surface, appears to be a legitimate application that could potentially be
useful to someone who has invested in cryptocurrencies. The app puts an icon in the menu bar that gives
information about the current price of Bitcoin.

OSX.EvilEgg menu

Type and source of infection

When OSX.EvilEgg is launched, the app will download and install components of two different open-source backdoors: EvilOSX and EggShell.

Aftermath

It seems likely that OSX.EvilEgg is meant to be used to gain access to users cryptocurrency wallets, for the purpose of stealing coins.

Protection

Malwarebytes for Mac detects and removes OSX.EvilEgg.

Traces/IOCs

Folder: .UpQZdhkKfCdSYxg

Python script: plQqVfeJvGo

User launch agent: com.apple.EOFHXpQvqhr.plist

Network connections:
94.156.189.77:2280
185.206.144.226:1339

 

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language