Thomas Reed, of Malwarebytes, has just reported new malware which affects macOS: an app currently going under the name of CoinTicker, which has a valid developer signature.

This is posing as a legitimate app for those who trade in cryptocurrency such as Bitcoin. In addition to displaying information about cryptocurrency markets, it downloads and installs two items of malware: EvilOSX and EggShell. These connect to remote servers, and its not yet clear what they aim to do.

Telltale indicators of their presence include two files installed in your ~/Library/LaunchAgents folder: .espl.plist, which will normally be invisible, and com.apple.[random string].plist. As far as I am aware, no property list in that folder should ever have a name which starts with com.apple., and that should always make you suspect the presence of malware.

Full details of this are in Thomas Reed’s article on the Malwarebytes Labs website. Needless to say, Malwarebytes already detects this and its component OSX.EvilEgg.

The developer certificate used for this is owned by Andrej Sevostopol, with an ID of 49LJX6DH22. I would expect Apple to revoke that certificate very shortly, and to add this to existing malware protection.

Thanks to Thomas Reed for additional information, as well as his original report.