Antivirus company, Bitdefender has released an alert regarding a harmful application that infects Macs and connects to the command-and-control servers via Tor.
The program, called EasyDoc Converter.app, claims to be a file converter but fails to do its advertised features. Rather, it drops advanced malware (Backdoor.MAC.Eleanor) onto the system. The malware then bypasses security on the system, allowing the attacker to have full control over the system.
The malware uses Platypus, ” a tool used for native MAC apps from shell, Perl, Python or Ruby scripts”.
“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system,” says Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab. “For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.”
Once installed. a hidden Tor service and PHP-capable web server is setup on the affected computer, creating a .onion domain that the attacker may use to connect to the Mac and control it.
Eleanor’s operators also utilize the open-source tool wacaw to gain control of the infected computer’s camera. This lets them not only spy on the target, but also take photographs of them, opening the potential for blackmail.
The addresses the malware uses to communicate with its controllers are stored on a Pastebin account. Unfortunately, these details are encrypted using RSA.
Currently, the malware isn’t too prevalent in the wild, but Mac users can defend from it by installing BlockBlock which can catch the malware’s attempt to install a persistent daemon.