What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

MacRumors ^ | July 6, 2016 | by Joe Rossignol

[Swordmaker]

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service – via a Tor-generated address.

Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/task manager (access the list of processes and apps running)
• Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1 GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unknown apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

[Swordmaker]

NOTE: Apple's built-in "Gatekeeper" already recognizes the malware that is hidden inside "EasyDoc Converter.app", so Backdoor.MAC.Eleanor really is not a new Trojan after all but just a new variation of an old one in one of the eight existing families that OS X already recognizes. The only way a Mac user can get infected with this is to be industrial strength stupid and to ignore the three separate warnings the OS brings up, one at original download informing the user that the file includes malware that could damage his system and privacy, secondly when the user installs the downloaded app, also warning him that the app he is about to install contains malware that could damage his system and his data, and finally on first run, saying the same thing. . . all of which to dismiss require an administrator's name and password to bypass! That IS industrial strength stupidity to ignore and go ahead and install this Backdoor.MAC.Eleanor infected app!

[Swordmaker]

"New" Apple OS X malware reportedly found. Backdoor.MAC.Eleanor discovered inside the "EasyDoc Converter.app" which has already been removed from the third-party location where it was found. It was NOT on the Apple OS X App Store, however it may have been posted elsewhere. It is ALREADY recognized by Apple's "GateKeeper" built-in malware protection, indicating it is not a "new" Trojan but rather a new variation of an old Trojan, or a member of an already existing Trojan family with recognizable characteristics which Gatekeeper will automatically recognize and warn users about and block unless the user overrides the warnings. If you were industrially strength stupid enough to go ahead and download it (no Freeper could possibly be in that terminal ill condition, but you may have some Liberal acquaintances who are) you may need to get MalwareBytes to remove it. — PING!

"New" Old Apple Trojan: Backdoor.MAC.Eleanor
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[ifinnegan]

EasyDoc Converter was a System 7 shareware program. way back in the day.

[bicyclerepair]

Why anyone would use an apple product is beyond me.

Linux rocks.

[Loud Mime]

I use it because it works very, very well. After decades of Windows I’m happy with the performance and speed.

Now you know. It’s no longer beyond you.

LM

[minnesota_bound]

MAC users should just give up protecting themselves and embrace Windows 10 spyware operating system.

[dennisw]

Linux Mint looks better than the outdated Apple OS and is seven times more usuable

[Albion Wilde]

bump

[martin_fierro]

The only way a Mac user can get infected with this is to be industrial strength stupid and to ignore the three separate warnings the OS brings up,