Researchers have discovered a new backdoor for Mac OS X that gives attackers essentially complete control over an infected machine. The malware is disguised as a common file converter utility and uses Tor for some communication functions.
Known as Eleanor, the backdoor has a wide range of functionality, including the ability for the attacker to remotely control the infected machine, steal data, take pictures from the machine’s camera, and take many other actions. The infection routine starts when the user downloads and runs the malicious app, called EasyDoc Converter, which looks like a drag-and-drop conversion utility. Once on a new machine, the app executes a script that serves as an installer for the rest of the malware’s functionality, including a Tor component, a Web service agent, and a Pastebin agent.
The Tor hidden service is used to access the other backdoor functionality on the infected machine, specifically the Web service.
“When Tor starts, it will automatically create the HiddenServiceDir specified, and it will create two files there. First, Tor will generate a new public/private key pair for the hidden service, located in a file called ‘private_key’. The other file Tor creates is called ‘hostname’. This contains a short summary of the public key, whichwill look something like XXXpaceinbeg3yci.onion. Using this hostname, the attacker now controls the machine by using the second backdoor component – Web Service(PHP),” researchers from BitDefender said in a report on the Eleanor malware.
The attackers can use the Tor hidden service to get access to the PHP backdoor portion of the malware. That component has a password-protected control panel that allows the attacker to do a number of things, such as run commands, download and upload files, run scripts, connect to various databases, and create a reverse shell.
The Pastebin agent is used to upload and store the unique Tor address for each infected machine, and the addresses themselves are encrypted before upload. The Eleanor backdoor appears to have emerged around mid-April, based on the Pastebin upload stats, BitDefender said, but could be older.
While Windows backdoors with this kind of functionality are a dime a dozen, OS X backdoors are comparatively rare. Some of that has to do with the smaller market share for Macs, but another part of it is the way that software installation is controlled on OS X. Users can set their machines to only allow apps from the App Store to be installed, taking away a lot of the avenues of installation that malware uses.