Eleanor malware uses a Tor backdoor to control Macs

A malicious application named EasyDoc Converter.app delivers a sophisticated malware dubbed Eleanor malware that opens a Tor backdoor on the victim’s machine.

Experts from security firm Bitdefender have spotted a new malware, dubbed Eleanor malware (Backdoor.MAC.Eleanor), that once compromised Macs set up a backdoor through Tor network.

The malicious application, dubbed EasyDoc Converter.app, pretend to be a file converter, unfortunately, it delivers a sophisticated malware on the victim’s machine. Once infected the target, the malicious code recruits it as part of a botnet or spies on the victim’s machine.

“The backdoor is embedded into a fake file converter application that is accessible online on reputable sites offering Mac applications and software. The EasyDoc Converter.app poses as a drag-and-drop file converter, but has no real functionality – it simply downloads a malicious script.”  said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab.

Once infected a Mac, the malware grants full access to the file system as reported by Bitdefender.

“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system,” 

The Backdoor.MAC.Eleanor malware sets up a hidden Tor service and a PHP web server, it exposes a .onion domain that could be accessed by the attacker to control the bot.

The Eleanor malware is able to use the camera on the infected machine by using the open-source tool wacaw. The attacker is able to take pictures of the victims and blackmail them.

Every infected Mac is associated with a Tor address, all the addresses are stored on pastebin.com using a PasteBin agent. The addresses are encrypted with a public key using RSA and base64 algorithms.

The malicious app used to deliver the Eleanor malware is not digitally signed by Apple, this means that by downloading applications exclusively from official store and reputable websites.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Eleanor malware, backdoor)