A newly discovered malware capable of cyberespionage and remote takeover is targeting Mac computers, delivering its payload by opening up a backdoor connection to a command-and-control (C&C) web server via the encrypted Tor network.
Named Eleanor (or Backdoor.MAC.Eleanor), the malware arrives disguised as a drag-and-drop file conversion application called the EasyDoc Converter, which is found on many credible third-party sites, according to an analysis from Bitdefender, whose security researchers uncovered the malware. The program is neither verified nor digitally signed by Apple.
In reality, the program's true purpose is far more malevolent, granting cybercriminals or cyberspies a backdoor connection that allows them to manipulate files, execute commands and scripts (including at the root level), penetrate firewall defenses, administer databases, discover applications running on a machine, and send emails with attached files. The malware also uses a webcam control panel tool to capture images and videos from built-in webcams, as well as a daemon agent that collects infection information, fetches and updates computer files; and executes shell scripts, reported Bitdefender.
Such capabilities could easily allow attackers to silently spy on their victims or turn an infected device into a bot that spreads malware to additional machines. All of this is possible because the malware secretly creates a backdoor in an infected Mac and installs a Tor hidden service that essentially connects the computer to a local server called Web Service, which acts as a C&C center.
"Tor makes the localisation of the C&C and the actors behind it very difficult, mainly because of the unpredictability of the routing of the information," Alexandra Gheorghe, security specialist.at Bitdefender, told SCMagazine.com. "It is mostly used in ransomware campaigns, point-of-sale malware and for botnet infrastructures, to guarantee C&C anonymity and make botnets more resilient against takedowns."
The report notes that the Tor service is also designed to provide access to a Secure Shell (SSH) cryptographic service that would allow an adversary to "access the server from the open Internet even if it's behind a firewall," explained Gheorghe. While the SSH service was not found on the sample user's machine during the researchers' analysis, "We believe it was placed there, to be added later," the online report noted.
Throughout the infection process, each individually infected computer is assigned a unique Tor address. These addresses are encrypted and subsequently stored on a Pastebin page for reference, the report added.