Macs targeted with new Backdoor.MAC.Eleanor trojan

Jul 5, 2016 15:49 GMT  ·  By

Security researchers from Bitdefender have discovered a new malware family that opens a backdoor via the Tor network on Mac OS X systems.

The malware's technical name is Backdoor.MAC.Eleanor, and currently, its creators are distributing it to victims as EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window.

In reality, Bitdefender says the app only downloads and runs a malicious script that installs and registers at startup three new components: the TOR hidden service, a PHP Web service, and a Pastebin client.

Backdoor.MAC.Eleanor creates a .onion address for your Mac

The Tor service will automatically connect the infected computer to the Tor network, and generate a .onion domain through which the attacker can access the user's system using only a browser.

The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the crook's control panel to the local Mac operating system.

Here is where the Pastebin agent intervenes because the agent takes the locally generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Crooks can access this PasteBin link, and parse it for new entries to their botnet.

Backdoor provides a lot of remote management options

Bitdefender's team says that Backdoor.MAC.Eleanor allows criminals to navigate and interact with the local filesystem, launch reverse shells to execute root commands, and launch and execute all kind of PHP, PERL, Python, Ruby, Java, or C scripts.

Additionally, the attackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.

The infected computer basically becomes a bot in the crook's botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware.

Below is an image of what the crook sees when accessing your Mac's Tor .onion link.

Backdoor control panel, crook's view
Backdoor control panel, crook's view

Backdoor.MAC.Eleanor (3 Images)

Backdoor control panel, crook's view
Backdoor control panel, crook's viewEasyDoc Converter app
Open gallery