What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

[MacRumors]

Internet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service - via a Tor-generated address.

Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

o File manager (view, edit, rename, delete, upload, download, and archive files)
o Command execution (execute commands)
o Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
o Shell via bind/reverse shell connect (remotely execute root commands)
o Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
o Connect and administer databases
o Process list/task manager (access the list of processes and apps running)
o Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unfamiliar apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

Article Link: What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

 

[Gav2k]

It's an OS X virus not Mac OS if we're honest

 

[Derekeys]

Sooooo... don't download stuff that isn't from the App Store. Check and check.

 

[GenesisST]

It's an OS X virus not Mac OS if we're honest

And not even a virus

 

[Glassed Silver]

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac

 

[KALLT]

The free on-demand scanner Malwarebytes Anti-Malware has also been updated, if you are concerned about an infection.

 

[RDeckard]

"The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source."

Easy enough.

Let's see how much press this gets vs. "HummingBad" malware that's infected millions of Android handsets.

 

[Lapidus]

Seems useful. Thanks for the tip!

 

[mildocjr]

virustotal.com people, virustotal.com.

 

[3bs]

So is installing KnockKnock and RansomWhere? a good idea along with BlockBlock?

 

[slapppy]

Well Blockblock is Beta. So even using that is a RISK?

 

[miknos]

When you open the app, does it ask for administrator password?

Seems like a well designed malware.

 

[3bs]

Well Blockblock is Beta. So even using that is a RISK?

If it poses a risk then MR shouldn't be vouching for it. So I assume it doesn't.

 

[winston1236]

This article is confusing, does it affect MacOS or OSX?

 

[AlexH]

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Unless it's well known software.

 

[FoxBJK]

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Sooooo... don't download Firefox, LibreOffice, or any other open-source applications that aren't allowed on the MAS for licensing reasons?

 

[InfoTime]

So it runs a web server on your Mac. Doesn't your router need to forward traffic to your Mac for this to be effective?

 

[jdillings]

MacUpdate being used to distribute malware yet again....People need to stick with the App Store. I think at this point we should assume anything downloaded from MacUpdate probably has malware of some sort.

 

[mildocjr]

So it runs a web server on your Mac. Doesn't your router need to forward traffic to your Mac for this to be effective?

If only setting up MAMP was this easy.

 

[TheShadowKnows!]

So it runs a web server on your Mac. Doesn't your router need to forward traffic to your Mac for this to be effective?

Not quite. It most likely uses a VPN, where the public-facing interface encapsulates the TOR-encrypted payload. As such it can obfuscate any firewall in its path, using well-known sockets.

 

[KALLT]

When you open the app, does it ask for administrator password?

There is no mention of this. All the files are placed in user directories and the programs are executed by the same user. This does not require any passwords, as the authority comes from the user that executes the program. Afterwards, the program is launched by a launch agent automatically.

 

[Zirel]

Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac

Then download only applications from developers you trust and are signed by them.

There's no way an OS will replace the job of humans.

 

[steiney]

Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac

Another benefit is that the dev gets all the revenue versus Apple getting a cut.

 

[TheShadowKnows!]

There is no mention of this. All the files are placed in user directories and the programs are executed by the same user. This does not require any passwords, as the authority comes from the user that executes the program. Afterwards, the program is launched by a launch agent automatically.

But it must have root privileges to modify kernel files and/or invoke kernel services. After all, it installs as a startup service (with setuid root) -- and that requires root privileges. Those privileges are escalated at the time of install, when the user unwittingly allows the install to take place. Please correct me if I got it wrong.

 

[Glassed Silver]

Then download only applications from developers you trust and are signed by them.

There's no way an OS will replace the job of humans.

That's my point.
Assume responsibility and educate yourself.
Know about your options. Better than this spoon-feeding Apple tries to instill and their going out of their way to make things harder for those who know a thing or two.

Another benefit is that the dev gets all the revenue versus Apple getting a cut.

This as well.
At this point I really think is making more money than they deserve...

Glassed Silver:mac

 

[sudo1996]

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Dang. Can't do my homework without Python 3.
[doublepost=1467827085][/doublepost]

Then download only applications from developers you trust and are signed by them.

There's no way an OS will replace the job of humans.

We're supposed to delegate the trusting to Apple's developer signing. Problem is there are so many perfectly legitimate apps that aren't signed. I used to have GateKeeper enabled, but it was causing way too many problems with legitimate and unsigned software. So now, I just have to trust people, as you said.
[doublepost=1467827133][/doublepost]

If only setting up MAMP was this easy.

LOL
[doublepost=1467827199][/doublepost]

So it runs a web server on your Mac. Doesn't your router need to forward traffic to your Mac for this to be effective?

Some routers (including AirPort) support a standard protocol for setting up temporary port mappings from a PC without authentication. Also, if there's a server they can connect to, they don't even need that. I'm guessing it connects to servers in the Tor network.