What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

EasyDoc-ConverterInternet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service – via a Tor-generated address.

Backdoor-EasyDoc
Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/task manager (access the list of processes and apps running)
• Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unfamiliar apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

Top Rated Comments

(View all)
Avatar
56 months ago

It's an OS X virus not Mac OS if we're honest ;)

And not even a virus
Score: 14 Votes (Like | Disagree)
Avatar
56 months ago

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac
Score: 12 Votes (Like | Disagree)
Avatar
56 months ago
"The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source."

Easy enough.

Let's see how much press this gets vs. "HummingBad" malware that's infected millions of Android handsets.
Score: 11 Votes (Like | Disagree)
Avatar
56 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Score: 10 Votes (Like | Disagree)
Avatar
56 months ago

MacUpdate being used to distribute malware yet again....People need to stick with the App Store. I think at this point we should assume anything downloaded from MacUpdate probably has malware of some sort.

The fact that MacUpdate send you their updater App NOT the file you asked for killed MacUpdate for me.
ANY system that does this is a malware site and can no longer be trusted.

If you are forced to use MacUpdate, ALWAY click the link to download from the developers site so MacUpdate can not try to install their software.
Score: 8 Votes (Like | Disagree)
Avatar
56 months ago
But will it really convert my documents?
Score: 6 Votes (Like | Disagree)

Top Stories

iPhone 12 Pro in Graphite and iPhone 12 in Blue Shown Off in Unboxing Videos

Monday October 19, 2020 8:20 am PDT by
While the iPhone 12 Pro does not launch until Friday, we now have an early unboxing video of the device courtesy of Twitter account DuanRui, providing a closer look at the shiny new flat-edge design and sleek Graphite color option. Ben Geskin re-uploaded the unboxing video to YouTube, which we've embedded below: Geskin has also uploaded an unboxing video of the iPhone 12 in Blue: ...

Kuo: iPhone 12 Pro Demand Higher Than Expected

Sunday October 18, 2020 10:39 pm PDT by
TF International Securities analyst Ming-Chi Kuo released a research note this morning detailing what he's seen with the volume of iPhone 12 and iPhone 12 Pro pre-orders in the first weekend of sales. Kuo had previously indicated that Apple's estimated shipment allocations for the new iPhone models placed the iPhone 12 at the top with 40-45% of inventory allocation (up from 15-20%). However, ...

New Photos Offer Better Look at iPhone 12 Color Options

Tuesday October 20, 2020 2:34 am PDT by
As we wait for the iPhone 12 review embargo to lift later today, more pictures are circulating of the devices in real-world lighting conditions, providing a better look at the different colors available. Leaker DuanRui has shared images on Twitter of the iPhone 12 in white, black, blue, green, and (PRODUCT)RED. The black and white colors are similar to the iPhone 11 colors, but the other...

Hands-On With Apple's MagSafe Charger for iPhone 12

Monday October 19, 2020 11:54 am PDT by
Alongside the new iPhone 12 models, Apple introduced a MagSafe charger that attaches to the back of the iPhones using magnets embedded both in the charger and in the iPhone. It allows for speedier charging and paves the way for a portless iPhone in the future. MagSafe chargers are shipping out and are in some Apple retail locations now, and we picked one up to check it out. Subscribe to the ...

Some Apple Watch SE Owners Experiencing Issues With Overheating [Updated]

Monday October 19, 2020 11:38 am PDT by
There may be an issue with the new Apple Watch SE, which some users have found is overheating after a few hours of usage. Several Apple Watch SE owners in South Korea have run into problems, as noted in a Reddit post chronicling the complaints. There have been six reports from Apple Watch SE owners in South Korea who have had their Apple Watches get hot and malfunction, with a yellow spot...

Apple's New MagSafe Charger and Cases Begin Arriving to Customers

Saturday October 17, 2020 10:10 am PDT by
Apple's new MagSafe charger and cases have begun arriving to some customers earlier than expected, and images of the accessories have started to surface on Twitter. The photos provide a first look at the products in real-world use. As of writing, some MagSafe cases are also available for pickup at select Apple Stores in countries like the United States, Canada, and Germany. Filip...

Apple Releases iPadOS and iOS 14.1 With Multiple Bug Fixes Ahead of iPhone 12 Launch

Tuesday October 20, 2020 10:06 am PDT by
Apple today released iOS and iPadOS 14.1, the first major updates to the iOS and iPadOS 14 operating system updates that were released in September. iOS and iPadOS 14.1 come a week after Apple released the golden master versions of the updates to developers. The iOS 14.1 update can be downloaded for free and it is available on all eligible devices over-the-air in the Settings app. To access...

Watch: iPhone 12 and iPhone 12 Pro Unboxing Videos and First Impressions

Tuesday October 20, 2020 6:05 am PDT by
Apple's embargo has lifted for iPhone 12 and iPhone 12 Pro reviews. In addition to our detailed review roundups for each device, we've rounded up over a dozen unboxing videos and first impressions below. iPhone 12 in Blue on left and iPhone 12 Pro in Pacific Blue on right via Engadget Key new features of the iPhone 12 and iPhone 12 Pro include a flat-edge design, 5G support, a much faster A14 ...

Apple Plans to Enable 5G in Dual SIM Mode With Software Update Later This Year

Monday October 19, 2020 9:20 am PDT by
iPhone XS models and newer feature both a physical SIM slot and a digital eSIM, allowing for a feature known as dual SIM, dual standby. This means you can have two lines of service on one iPhone, which is useful for purchasing data-only plans while traveling abroad or having personal and business lines on a single iPhone. 5G will not be available in Dual SIM mode on the iPhone 12 and iPhone...

Brazilian Certifications Suggest iPhone 12 Mini Features 2,227mAh Battery and iPhone 12 Has 2,815mAh Battery

Friday October 16, 2020 1:08 pm PDT by
Apple's iPhone mini has the shortest battery life out of all the iPhones in the iPhone 12 lineup due to its small size, but Apple has not provided public information about the battery's capacity. A regulatory filing from Brazil, however, suggests the iPhone 12 mini has a battery capacity of 2,227mAh. The same regulatory information says the iPhone 12 features a 2,815mAh battery, which is...