Newly discovered malware makes use of Tor to open a backdoor on Mac OS X systems
Researchers from security firm, Bitdefender have discovered a new malware family that opens a backdoor via the Tor network on Mac OS X systems. Bitdefender researchers have named the malware as Backdoor.MAC.Eleanor.
The security researchers said that the Eleanor creators are spreading the malware through phishing and EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window. According to Bitdefender, EasyDoc in reality is created just to run the malicious Eleanor payload.
According to the security researchers, EasyDoc downloads and runs a malicious script that installs and registers at startup three new components: the Tor hidden service, a PHP Web service and a Pastebin client.
Once Eleanor is installed on the Mac OS X PC, it will make the Tor service automatically connect the infected computer to the Tor network, and generate a .onion domain through which the attacker can access the user’s system using only a browser. The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the crook’s control panel to the local Mac operating system.
Here is where the Pastebin agent intervenes because the agent takes the locally generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Crooks can access this PasteBin link, and parse it for new entries to their botnet.
The researchers say that the malware then allows the cyber criminals to navigate and interact with the victims PC. They can launch reverse shells to execute root commands, and launch and execute all kind of PHP, PERL, Python, Ruby, Java, or C scripts. They can also list locally running apps, use the infected computer to infect more Mac OS X PCs by sending similar phishing mails to the friends and relatives of the victim. Eleanor can also use victims Mac PC as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.
All and all, the victim’s PC becomes zombie controlled by Eleanor’s creators. They can use it to spam, DDoS, phish and do anything they want.