EvilEgg
EvilEgg is a backdoor Trojan, as well as a cryptocurrency-tracking application named CoinTicker, which installs it without consent. Unlike most backdoor Trojans, both versions of EvilEgg run in the macOS operating system and may bypass built-in security features like XProtect. Users should avoid downloading applications from untrustworthy sources and have their anti-malware services remove EvilEgg, followed by changing any at-risk passwords.
Watching Money but Overlooking Your Safety
Social engineering is, for many attackers, the most sensitive and intricately-crafted element of any hacking campaign. While most readers should be aware of the threatening 'invoices' and 'resumes' that plague businesses and government e-mail accounts, some attacks are more involved than a fake document. In EvilEgg's case, it's an entire, semi-fake application.
The EvilEgg macOS 'application' uses the name of CoinTicker and provides real-time tracking of cryptocurrency information, particularly, Bitcoin. While it's more or less functional, it also has hidden features without any user-observable symptoms of note to malware researchers. It downloads two other programs, both of them granting remote control over the system to attackers: the EvilEgg backdoor Trojan, and the EvilOSX RAT.
This redundancy of payload helps attackers with cementing their long-term control over the infected PC or another device while collecting valuable information. EvilOSX pays particular attention to iCloud credentials and Chrome passwords, but the aim of the EvilEgg campaign might be to collect logins for cryptocurrency wallets and the associated coins. Both Trojans use LaunchAgents for persistence across reboots, and in at least one case, privilege escalation towards gaining root access – just like a highly-invasive rootkit.
Smashing a Rotten Egg of Software
Some lucky victims may avoid EvilEgg's final-stage payloads by accident. There are versions of the EvilEgg application that use no-longer-active download URLs for free hosts like GitHub. In these cases, while the CoinTicker portion of EvilEgg still attempts the download, it can't retrieve the files and install the backdoor Trojan or the Remote Access Trojan.
Still, no users should depend on such a minor glitch for their safety. Disabling network connections and changing passwords should be top-priority actions after dealing with the infection. Any users on macOS can curate their downloads for safety by using the official application Store, rather than random websites. The Trojan-downloading CoinTicker application has no relationship to Zijun Huang's 'Coin Ticker' on the storefront.
An updated and reputable anti-malware product that runs in macOS should flag this threatening application and remove EvilEgg, EvilEgg's Trojan, and EvilOSX by default for your protection. Users unsure of the safety of any downloads should consider scanning them before launching, and avoid depending on built-in safety features with well-known workarounds.
Just as money makes the world turn, it empowers Trojan campaigns in multiple ways. While using cryptocurrency for finding victims, EvilEgg could, in minutes, collect those coins, too – if security software doesn't stop it, first.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.