A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker is installing backdoors on the macs of unsuspecting users.
When installed, the CoinTicker application allow users to select various cryptocurrencies whose prices they would like to monitor. It will then add a small informational widget to the macOS menu bar as shown below that updates the prices as they change.
In the background, though, the application is secretly downloading two backdoors onto the infected mac that allows an attacker to take remote control of the computer.
First spotted by a Malwarebyte's forum member named 1vladimir, when executed the Trojan will connect to a remote host and download numerous python and shell scripts that when executed will download and install two backdoors on to the infected computer.
"When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell." stated Malwarebyte's Director of Mac & Mobile Thomas Reed in a blog post.
First it will download the EggShell backdoor using the following command.
After it has finished, Reed has stated that it will create a launch agent that automatically starts the EggShell backdoor when a user logs into the mac.
It will then download the EvilOSX backdoor using an obfuscated script, which is partially cleaned up below. When performing the download, it will send various configuration options that will automatically be added to the downloaded backdoor.
It too will have a launch agent created so the EvilOSX backdoor starts automatically.
It is not known if the Coin Ticker app was designed purely for malicious purposes or has been compromised by attackers. The web site, though, does not have any contact information and just contains a download button, which leads me to believe it is a shell made purely for the distribution of the Trojan.