Threat Intelligence, Incident Response, Malware, Network Security, TDR

Eleanor Mac malware opens Tor connection for attackers to spy on and control Macs

A newly discovered malware capable of cyberespionage and remote takeover is targeting Mac computers, delivering its payload by opening up a backdoor connection to a command-and-control (C&C) web server via the encrypted Tor network.

Named Eleanor (or Backdoor.MAC.Eleanor), the malware arrives disguised as a drag-and-drop file conversion application called the EasyDoc Converter, which is found on many credible third-party sites, according to an analysis from Bitdefender, whose security researchers uncovered the malware. The program is neither verified nor digitally signed by Apple.

In reality, the program's true purpose is far more malevolent, granting cybercriminals or cyberspies a backdoor connection that allows them to manipulate files, execute commands and scripts (including at the root level), penetrate firewall defenses, administer databases, discover applications running on a machine, and send emails with attached files. The malware also uses a webcam control panel tool to capture images and videos from built-in webcams, as well as a daemon agent that collects infection information, fetches and updates computer files; and executes shell scripts, reported Bitdefender.

Such capabilities could easily allow attackers to silently spy on their victims or turn an infected device into a bot that spreads malware to additional machines. All of this is possible because the malware secretly creates a backdoor in an infected Mac and installs a Tor hidden service that essentially connects the computer to a local server called Web Service, which acts as a C&C center.

"Tor makes the localization of the C&C and the actors behind it very difficult, mainly because of the unpredictability of the routing of the information," Alexandra Gheorghe, security Bitdefender, told "It is mostly used in ransomware campaigns, point-of-sale malware and for botnet infrastructures, to guarantee C&C anonymity and make botnets more resilient against takedowns."

The report notes that the Tor service is also designed to provide access to a Secure Shell (SSH) cryptographic service that would allow an adversary to "access the server from the open Internet even if it's behind a firewall," explained Gheorghe. While the SSH service was not found on the sample user's machine during the researchers' analysis, "We believe it was placed there, to be added later," the online report noted.

Throughout the infection process, each individually infected computer is assigned a unique Tor address. These addresses are encrypted and subsequently stored on a Pastebin page for reference, the report added.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.