Recently-discovered OSX/Eleanor-A malware shows cyber-criminals with little knowledge of programming how to easily and cheaply build devious attack tools from everyday components.
According to a recent blog by Paul Ducklin, security technologist at Sophos, the malware fakes being a utility called EasyDoc Converter, easy-to-install, however doesn't seem to do much. But in the background, the app creates a hidden folder with a bunch of programmes and scripts that are mostly readily available free tools.
The malware uses an OS X utility to set up the tools to run in the background and starts up Tor to connect to a computer in the anonymous network as well as advertise a user's computer to the Dark Web, otherwise known as ‘hidden service'. The malware also connects the Tor hidden service to a PHP admin script allowing any outsider that knows the name of the hidden service to take over the Mac from afar.
The malware includes a copy of a free webcam control programme called Wacaw. It's an old utility, but the PHP admin shell makes it simple for crooks to upload any other software that they want and replace it with a new utility.
Ducklin says that users are “unlikely to encounter this malware”, but if downloaded and a run is attempted, users will see a warning by default and OS X's security setting that does not give complete protection at least until Apple solves the issue.
Ducklin suggests using a real-time anti-virus on your Mac even if you have managed unharmed for years without one.