New Mac OS X backdoor disguised as document converter app

Bitdefender researchers have discovered and analyzed a new, highly dangerous piece of malware targeting Mac systems and users.

The malware, dubbed “Eleanor,” opens a backdoor on the infected system, and allows its master to access it and do almost whatever he wants with it – including taking pictures of the user.

Users get infected after they download and run an app called EasyDoc Converter, which supposedly converts documents, but actually has no functionality of that kind.

Instead, its goal is to execute a script that will check if the system has Little Snitch installed, if it has already been infected with this particular malware, and if the answer to those to questions is no, it will install a Tor hidden service, a PHP Web Service (i.e. a local web server), and a Pastebin agent, and will register them to system startup.

The Tor hidden service is installed to allow the attacker access to the PHP Web Service via a Tor-generated address. Through the Web Service, the attacker can send instructions to the compromised system via a password-protected control panel (click on the screenshot to enlarge it):

Eleanor Mac OS X backdoor control panel

The attacker can manage, download and upload files on the system, execute commands and scripts in a variety of languages, probe firewall rules, connect and administer databases, send emails, take pictures and record videos with the built-in webcam (by using wacaw), and more.

The Pastebin agent uploads the unique Tor address of the compromised computer on Pastebin.com, but it encrypts it first. This way only the malware’s master can get it and use it to connect to the computer.

The researchers don’t tell what the malware master uses the infected machines for, but he could do any number of things: steal the users’ personal and financial data, send out spam or phishing emails, blackmail the user (especially if the malware takes incriminating photos or videos), use it as a place to stash his own files, etc.

“The app is not signed with a certificate issued to an Apple developer ID,” Malwarebytes Thomas Reed pointed out. “This is fortunate, in a way, as this makes it more difficult to open. (By default, Mac OS X will not open unsigned apps.) However, it’s also unfortunate, because a determined user will be able to open it anyway, and because there’s no certificate involved, Apple cannot kill the app by revoking the certificate.”

Users can protect themselves against these dangers by being careful what they download and from where, but also by using security solutions that would detect this kind of threats.




Share this