That point in time has come when hackers finally catch up with the MAC platform.
OSX/Eleanor-A malware befalls Apple systems and exposes it to cyber-espionage whereas malicious third parties can gain total clandestine control.
The malware was recently discovered by Bitdefender researchers and was found to open a backdoor on Mac OS X computers via a Tor-hidden service.
Thus, it was dubbed the Backdoor.MAC.Eleanor malware.
At least when compared to Windows and Android, Mac malware can be deemed rare considering how long it’s been able to steer clear of trouble and kept cybercrooks at bay.
Worse, this new piece of malware grants even cybercriminals with little programming knowledge, the power to easily build attack tools and fully compromise OS X systems simply from everyday components.
Decoy Converter App
Disguising itself as a utility called EasyDoc Converter.app that’s legitimate-looking and quite easy-to-install, the tool attracts Mac users to download and try it out.
At first, it doesn’t seem to do much apart from being a fast and simple drag-and-drop file converter for macOS.
Typically, you’d want a quick converter app to help you read other files.
So, one would probably just delete this app that often doesn’t meet this requirement or doesn’t work at all, without any obvious harm done.
How does the malware work then? The fake app proceeds in creating a hidden folder in the background containing various programs and malicious scripts.
Even those who know where to find these files and get to have a close look might not become suspicious right away since they are mostly free tools readily available.
These are what linger in the Mac system upon uninstalling the EasyDoc app.
Here comes OSX/Eleanor-A. The malware takes advantage of an OS X utility and configures them as OS X LaunchAgents to setup and run the tools.
The software components load in the background whenever users log in, which many tend to ignore or completely unknown to them.
Background Program # 1 – Copy of The Onion Router or Tor.
Part of the hack is the malware connecting to the Tor anonymizing network and goes beyond by advertising your computer to the Dark Web.
Background Program # 2 – PHP admin script
The malware utilizes the standard OS X PHP scripting tool to run this script and render your computer and files accessible via web browser.
OSX/Eleanor-A then connects either background programs, which allows attackers or any outsider who knows the name of the hidden service to take over your Mac PC.
Background Program # 3 – Pastebin uploader
The hidden service name is randomly assigned to the infected computer.
It’s a unique 16-character string set that lets other Tor users connect to your computer.
This background program uploads the information to Pastebin and removes itself once the job is done.
The bottom line is, the malware sets up a web service giving hackers remote access and full control over the infected machine with the ability to manipulate files, access your running processes list, execute commands and scripts, and even send emails containing attachments.
An attacker can lock you out of your own laptop, blackmail the Mac user or transform your computer into a botnet for the purpose of attacking other devices.
The malware likewise includes the Netcat, Wacaw, and an image browsing tool based on PHP.
Minimizing Mac Risks
The converter app was created with the tool Platypus, which is utilized for native Mac apps from shell, Python, Perl, or Ruby scripts.
Though it was never made available via the Mac App Store, the app was previously available on the MacUpdate software download website.
It’s been removed since July 5 and might still be downloadable elsewhere over the internet.
Sophos security technologist Paul Ducklin states that the malware is generally unlikely to be encountered, but once downloaded and a run is attempted, they will be flashed a warning by default.
So if you never tried it nor bypassed Gatekeeper settings to install it, then your Mac is certain to be uninfected.
Otherwise, it’s best to act immediately to get rid of it.
Malwarebytes and Sophos have already been updated to detect it, and a scan can delete any malware-associated files on an infected system.
He suggests getting protection from a real-time antivirus in the meantime despite being previously unharmed without one.