Security researchers have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network. The malware, dubbed Backdoor.MAC.Eleanor by the folks at Bitdefender, is distributed as a file converter application through websites that offer Mac software.
The application infected with ‘Eleanor’ that users download from these sites is called ‘EasyDoc Converter’. Once installed, ‘Eleanor’ displays a fake ‘EasyDoc Converter’ interface where users can supposedly drag and drop files for conversion, but no file conversion is done. ‘Eleanor’ then launches a shell script In the background that installs components in a folder called “/Users/$USER/Library/.dropbox.” No interaction with the Dropbox for Mac client has been found and it appears that this is a ploy used to thwart discovery. ‘Eleanor’ then launches a Web service with a PHP application, a hidden service that allows attackers to connect to the affected systems over the Tor network, and an agent that posts the Tor access URLs for infected systems to a Pastebin website. Attackers can then send commands through the URLs to affect the infected Macs.
The Tor network, also known as The Onion Router because of its’ many layers, is a series of servers running route anonymization software so that one’s route cannot easily be traced. Tor has been used for years by users who wish to protect their privacy, but has lately been leveraged by Bad Actors to hide their location from the Good People of the Internet.
Users are alerted to the malware when they try to install it since the ‘EasyDoc Converter’ app is not digitally signed with an Apple-approved certificate. Users will see security warnings if they try to install it. If the user has OS X 10.11 (El Capitan) they would also need to perform a manual override in order to install the application. More information can be found here.