New Mac Malware Found Beware of Backdoor.MAC.Eleanor

Andrew Orr In the News

Bitdefender recently discovered a new type of malware that has been infecting Macs. Called Backdoor.MAC.Eleanor,  it can take control of your system completely by installing a backdoor. Once it compromises your Mac, a hacker could steal your files, control your webcam and execute code capable of inflicting more damage.

Backdoor

In computing terminology, a backdoor is classified as “a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected.” It can either be an installed program, a program that has been modified, or even a piece of hardware.

backdoor control panelThere are two types of backdoors: symmetric and asymmetric. Symmetric backdoors work both ways. Anyone who finds the backdoor can use it themselves. An asymmetric backdoor is like a one-way street. Only the creator of the vulnerability or attacker can use it. The idea of an asymmetric backdoor was first theorized by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto ’96.

How Backdoor.MAC.Eleanor Works

This particular piece of malware comes in the form of a seemingly benign app called EasyDoc Converter. On the surface, the app does not do anything. However, underneath it runs a script that installs a hidden Tor service in your Mac. The Tor service lets hackers access and control your computer remotely.

The script creates a web service that gives the hackers even more abilities. Using the web service the attacker can manipulate your files, access a list of running processes on your Mac and send emails with attachments. Additionally, the malware uses a tool called “wacaw” which lets the attacker use your webcam to take photos and videos.

Bitdefender warns that a hacker using this malware could “lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices.”

In a PDF, the security company gives plenty more details. The fake application EasyDoc Converter was created using Platypus. Platypus is a tool used for creating native Mac apps from scripts like shell, Perl, Python or Ruby. Once run, the app runs the script EasyDoc Converter.app/Resources/script. First, the script checks for Little Snitch, an advanced firewall for Macs.

backdoor.mac.eleanorThen the script checks for a previous infection by verifying the existence of the /Users/$USER/Library/.dropbox directory. It installs the following components and makes sure they become automatically available each time the system boots.

  1. Tor Hidden Service: ~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist
  2. Web Service (PHP): ~/Library/LaunchAgentes/com.getdropbox.dropbox.usercontent.plist
  3. PasteBin Agent: ~/Library/LaunchAgentes/com.getdropbox.dropbox.timegrabber.plist

How To Find Out If Your Mac Is Infected

Luckily, a couple of security software programs have already updated their database to detect Backdoor.MAC.Eleanor. MalwareBytes and Sophos Home are two of the first security apps to detect Backdoor.MAC.Eleanor. Since modern Macs have a security precaution called Gatekeeper, by default your Mac cannot install apps outside of the Mac App Store. If your Gatekeeper is set to download either App Store only or App Store and identified developers, then you do not have this malware. You can check your Gatekeeper settings by going to System Preferences > Security & Privacy > General.

If you have installed EasyDoc Converter run a scan using MalwareBytes or Sophos Home. If you have installed applications from unidentified developers or from outside of the App Store we still recommend you run a scan. It is unknown how many other antivirus vendors have updated their software, but we expect the most popular ones are.