What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

EasyDoc-ConverterInternet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service – via a Tor-generated address.

Backdoor-EasyDoc
Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/task manager (access the list of processes and apps running)
• Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unfamiliar apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

Top Rated Comments

GenesisST Avatar
66 months ago
It's an OS X virus not Mac OS if we're honest ;)
And not even a virus
Score: 14 Votes (Like | Disagree)
Glassed Silver Avatar
66 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac
Score: 12 Votes (Like | Disagree)
RDeckard Avatar
66 months ago
"The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source."

Easy enough.

Let's see how much press this gets vs. "HummingBad" malware that's infected millions of Android handsets.
Score: 11 Votes (Like | Disagree)
Derekeys Avatar
66 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Score: 10 Votes (Like | Disagree)
sir1963nz Avatar
66 months ago
MacUpdate being used to distribute malware yet again....People need to stick with the App Store. I think at this point we should assume anything downloaded from MacUpdate probably has malware of some sort.
The fact that MacUpdate send you their updater App NOT the file you asked for killed MacUpdate for me.
ANY system that does this is a malware site and can no longer be trusted.

If you are forced to use MacUpdate, ALWAY click the link to download from the developers site so MacUpdate can not try to install their software.
Score: 8 Votes (Like | Disagree)
dwaltwhit Avatar
66 months ago
But will it really convert my documents?
Score: 6 Votes (Like | Disagree)

Top Stories

nothing ear 1 buds 1

Nothing 'Ear (1)' True Wireless Earbuds Launch to Take on AirPods Pro With ANC and Unusual Design for $99

Tuesday July 27, 2021 7:57 am PDT by
Nothing, a new brand from OnePlus founder Carl Pei, has today officially launched the "Ear (1)" true wireless earbuds after months of anticipation around the company's AirPods Pro rival. The Ear (1) features an in-ear design, Active Noise Cancelation, Bluetooth 5.2, IPX4 water resistance, and a charging case with Qi-compatible wireless charging and a USB-C port. Fast pairing is supported on...
iOS 14 on iPhone feature emergency

Apple Releases iOS and iPadOS 14.7.1 With Fix for Touch ID Apple Watch Bug

Monday July 26, 2021 9:48 am PDT by
Apple today released iOS and iPadOS 14.7.1, minor bug fix updates that come just a week after the release of iOS 14.7, software that introduced new Apple Card features and support for the MagSafe Battery Pack. The iOS and iPadOS 14.7.1 updates can be downloaded for free and the software is available on all eligible devices over-the-air in the Settings app. To access the new software, go to...
iPad mini pro feature 2

iPad Mini 6 to Feature 8.3-Inch Display With No Home Button and Narrower Bezels

Monday July 26, 2021 12:26 pm PDT by
The sixth-generation iPad mini that's in the works will have an 8.3-inch display, according to display analyst Ross Young. That will be larger than the current 7.9-inch display, with the larger size due to the removal of the Home button and a narrower bezel design. Rumors about the iPad mini 6 have been picking up in recent weeks ahead of its prospective launch this fall. Apple analyst...
iphone 12 pro gold

Report: iPhone 14 Pro Models to Feature Tough Titanium Alloy Chassis

Monday July 26, 2021 1:12 am PDT by
Next year's "iPhone 14" series is expected to feature high-end models with a new titanium alloy chassis design, claims a new investors report by JP Morgan Chase. According to the report, the use of titanium alloy will be one of the biggest changes to the case design in the 2022 iPhone series, and Foxconn will be the exclusive manufacturer of the titanium frames for the high-end models....
iOS 15 General Feature Purple

Everything New in iOS 15 Beta 4: Safari Tweaks, MagSafe Battery Pack Support, Notification Updates and More

Tuesday July 27, 2021 11:47 am PDT by
Apple today released the fourth betas of iOS 15 and iPadOS 15, introducing additional refinements to the new features that are coming in the software updates. In these betas, Apple has introduced changes for Safari, Notifications, Focus mode, and more. Safari Updates Apple is continuing to refine the design of Safari on the iPhone, and in iOS 15, there are tweaks to improve usability. ...
apple mac business page

Apple Shares 11 Reasons Why Business Users Should Choose Macs

Monday July 26, 2021 11:35 am PDT by
Apple today updated its Apple at Work website with a new section dedicated to the Mac, which offers up 11 reasons why "Mac means business." On the webpage, Apple highlights the M1 chip as the number one reason why business users should choose a Mac, offering up an M1 overview [PDF] that explains the benefits of the M1 chip. The information isn't new, but it does provide a look at all of...
imac with accessories

Larger Redesigned High-End iMac Rumored to Launch Next Year

Monday July 26, 2021 3:45 am PDT by
Apple's larger redesigned iMac will arrive sometime in 2022 rather than later this year, according to the leaker known as "Dylandkt." On Twitter, Dylandkt claimed that Apple's "high end iMac" is not expected to release in the fourth quarter of 2021 alongside Apple's "M1X Macs" – a reference to Apple's redesigned MacBook Pro models – because "Apple simply does not want their devices to...
General iOS 14

iOS 14.7.1 and macOS Big Sur 11.5.1 Patch Security Vulnerability That May Have Been Actively Exploited

Monday July 26, 2021 11:55 am PDT by
Apple today released unexpected iOS 14.7.1 and iPadOS 14.7.1 updates to the public, and according to a newly released support document, the software addresses a serious security vulnerability that may have been exploited in the wild. Apple says that an application may have been able to execute arbitrary code with kernel privileges due to a memory corruption issue. "Apple is aware of a report ...
apple bitcoin hack

Is Apple Really Buying Bitcoin?

Monday July 26, 2021 3:07 am PDT by
A large number of websites and posts on social media are stoking rumors that Apple has purchased $2.5 billion worth of bitcoin in the company's first move into cryptocurrency, but is there any validity to the claims? Many people are citing the fact that Apple was looking for a Business Development Manager with experience in alternative payments, including cryptocurrency, earlier this year as ...
new m1 chip

Tim Cook on Apple Deciding to Manufacture Components: 'We Ask Ourselves If We Can Do Something Better'

Tuesday July 27, 2021 3:04 pm PDT by
During today's earnings call for the third fiscal quarter of 2021 (second calendar quarter), Apple CEO Tim Cook was asked how Apple decides what components to purchase and what components to develop, and Cook said that Apple asks if it can be done better. We ask ourselves if we can do something better. If we can deliver a better product. If we can buy something in the market and it's great...