EvilEgg

EvilEgg is a malware designed to target Mac computers. This threat is being propagated as a utility called 'CoinTicker.' The CoinTicker tool is meant to provide users with a toolbar that shows them the exchange rates of regular and cryptocurrencies. Users who have installed the CoinTicker utility may not notice anything wrong with their systems because the tool appears to work as intended. However, what might be hidden is that the EvilEgg malware would be operating in the back silently. If you are dealing with cryptocurrencies, you should make sure your computer is well-protected, certainly, because cyber crooks would not hesitate to collect transactions or wallets, which may end up causing you significant financial losses.

The EvilEgg threat is a Trojan downloader that has the capability to remain under the radar of its target because the application that comes alongside it, CoinTicker, will operate as intended and keep the user busy, while the malware is carrying out its threatening activities in the background. Malware experts advise users against installing the CoinTicker application as it may be used to propagate the EvilEgg malware. Make sure your Mac is protected by a reputable anti-malware application that will be able to sniff out any shady or potentially unsafe software that may be present on your computer, even if you do not manage to spot it yourself.

What makes EvilEgg stand out is that it infects macOS and bypasses built-in security features such as XProtect. Mac users gain just as much as Windows users by installing robust third-party antivirus software. Make sure to avoid downloading and installing applications from untrusted sources for some added protection.

Tracking Coins and Installing Trojans

Social engineering is at the heart and soul of any malware campaign. Attackers will put all of their efforts into this stage of the attack, as they need to trick people into downloading and accessing their malware. Most users know to watch for spam emails and bogus invoices, and the like, EvilEgg, takes things one step further. Rather than hiding behind an unsolicited email, EvilEgg hides inside an intricate semi-fake application.

CoinTracker interface

The EvilEgg application is hidden inside the CoinTicker app that, for what it’s worth, does indeed offer real-time tracking of cryptocurrencies such as Bitcoin. While CoinTicker does this, however, it also has other hidden features. These features can be activated silently without the user being aware. Hidden inside this little application are the EvilEgg backdoor trojan virus and the EvilOSX remote access tool (RAT).

The redundant nature of the payload delivery helps to cement a long-term presence and control over an infected device. Attackers have more time with the device to collect sensitive information. While EvilOSX looks for login credentials from Chrome and iCloud, EvilEgg looks to collect information about cryptocurrency wallets and coins. Both viruses are known to achieve persistence on infected computers through LaunchAgents. This persistence means that the viruses stay on the computer during reboots and can stay on computers if not removed properly. There has also been at least one case where the viruses moved towards gaining root access of the infected device, similar to a rootkit. The deeper the infection goes and the more permissions the virus gets, the worse the damage it can do.

How to Deal With EvillEg

Some users have been lucky enough to avoid infections by EvilEgg by accident. There are some versions of EvilEgg that use links to GitHub that are no longer active. To put it simply, they are unable to retrieve the files needed to install the trojan. CoinTicker will launch the download operation and attempt to download the necessary files, but it won’t be able to. CoinTicker can’t install EvilEgg without those files. So, the target computer can’t get infected.

With that said, users shouldn’t rely on a glitch in the system to stay safe and protect their computers. If you get infected by the virus, then your first action should be to disable your network connections and change all your passwords as soon as possible. Mac users can improve the security of their computers by only downloading and accessing apps from the official App Store, instead of using third-party sites. Please note that the malicious CoinTicker is in no way connected to the legitimate Coin Ticker on the App Store, which was developed by Zijun Huang. That app tracks cryptocurrency without installing viruses and malware on your computer. Many other legitimate apps do this for you.

Be sure to use and update a robust antivirus program for your Mac. The idea that Macs are immune to viruses is a complete fabrication. A good antivirus program should be more than capable of finding and removing EvilEgg and EvilOSX. If you download a file and aren’t sure how safe it is, have your antivirus program scan it before you run it. That way, you can tell for sure if it is a trusted file or not.

Much like money makes the world go round, it also makes malware go around. Ransomware is motivated by money, and now we have viruses using cryptocurrency to find and infect targets. EvilEgg might not be demanding ransoms, but it could still be making money by stealing cryptocurrency and login credentials. Take the time to protect your computer against threats.