Home / malwarePDF  

Backdoor.MAC.Eleanor


First posted on 09 July 2016.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor.MAC.Eleanor.

Explanation :

The malware strain -- dubbed Backdoor.MAC.Eleanor -- runs a malicious script that installs and registers three components at startup: a Tor Hidden Service, a PHP Web Service, and a PasteBin client.

Once the components are installed on a system, they can take over commands, close applications, and steal just about all the information on the computer. It also can access the computer?s webcam and take pictures and videos of its victims.

The application presents itself on third-party Mac applications sites as EasyDoc Converter.app. Mac users who download the app expect that they will be able to convert Apple files to Microsoft Word documents. But Eleanor has other plans.

Instead of converting Mac files to Microsoft files, the malware instead installs a backdoor in the system that gives the attacker access to the operating system, tofile explorer, shell execution, webcam image, and video capture. The application is created using Platypus, a tool used for native MAC apps from shell, Perl, Python, or Ruby scripts.

The application looks like a converter in which the user can drop files, but it has no real functionality.

It executes the following script "EasyDoc Converter.app/Resources/script," according to the settings from AppSettings.plist. The script acts as an installer, infecting the computer. First, it checks if Little Snitch is installed, then checks whether the user is already infected by verifying the existence of the "/Users/$USER/Library/.dropbox" directory. If all checks pass, it creates the "Users/$USER/Library/.dropbox" directory, where it installs the components and registers them for system startup.

The Tor Hidden Service allows the attacker to access the second backdoor component on the infected machine, a Web Service (PHP), using a Tor-generated address such as: XXXpaceinbeg3yci.onion.

Tor is a well-known anonymization service.

Here's why Eleanor can wreak havoc on a Mac:
By accessing the main control panel, the attacker has access to file manager, command execution, script execution, shell via bind/reverse connect, simple packet crafter, connection to DBMS, process list/task manager, send mail with attachment, and string conversion.

Through the third and final component, the malware can capture images and videos from the users' webcams. It does this by using a tool found in (~/Library/.dropbox/utilities/wacaw.(

The tools let the hacker view the image gallery using a .onion utility.

So they can reach the Web Service and gain full control of the infected machine, the attackers need to access a corresponding Tor address.
All the addresses are encrypted and stored to pastebin.com using this agent.

Last update 09 July 2016

 

TOP