OSX.EvilEgg
Short bio
OSX.EvilEgg is Malwarebytes’detection name for a macOs app named CoinTicker that installs two different backdoors.
Symptoms
The CoinTicker app, on the surface, appears to be a legitimate application that could potentially be useful to someone who has invested in cryptocurrencies. The app puts an icon in the menu bar that gives information about the current price of Bitcoin.
Type and source of infection
When OSX.EvilEgg is launched, the app will download and install components of two different open-source backdoors: EvilOSX and EggShell.
Aftermath
It seems likely that OSX.EvilEgg is meant to be used to gain access to users cryptocurrency wallets, for the purpose of stealing coins.
Protection
Malwarebytes for Mac detects and removes OSX.EvilEgg.
Traces/IOCs
Folder: .UpQZdhkKfCdSYxg
Python script: plQqVfeJvGo
User launch agent: com.apple.EOFHXpQvqhr.plist
Network connections: 94.156.189.77:2280 185.206.144.226:1339