What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

EasyDoc-ConverterInternet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service – via a Tor-generated address.

Backdoor-EasyDoc
Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/task manager (access the list of processes and apps running)
• Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unfamiliar apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

Top Rated Comments

(View all)
Avatar
53 months ago

It's an OS X virus not Mac OS if we're honest ;)

And not even a virus
Score: 14 Votes (Like | Disagree)
Avatar
53 months ago

Sooooo... don't download stuff that isn't from the App Store. Check and check.

Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac
Score: 12 Votes (Like | Disagree)
Avatar
53 months ago
"The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source."

Easy enough.

Let's see how much press this gets vs. "HummingBad" malware that's infected millions of Android handsets.
Score: 11 Votes (Like | Disagree)
Avatar
53 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Score: 10 Votes (Like | Disagree)
Avatar
53 months ago

MacUpdate being used to distribute malware yet again....People need to stick with the App Store. I think at this point we should assume anything downloaded from MacUpdate probably has malware of some sort.

The fact that MacUpdate send you their updater App NOT the file you asked for killed MacUpdate for me.
ANY system that does this is a malware site and can no longer be trusted.

If you are forced to use MacUpdate, ALWAY click the link to download from the developers site so MacUpdate can not try to install their software.
Score: 8 Votes (Like | Disagree)
Avatar
53 months ago
But will it really convert my documents?
Score: 6 Votes (Like | Disagree)

Top Stories

Apple-Acquired Dark Sky Officially Shuts Down Android App

Saturday August 1, 2020 3:43 pm PDT by
Apple in March purchased weather app Dark Sky, and at that time, Dark Sky's developers said that the app's Android version would be discontinued on July 1, 2020. However, instead of shuttering the app on that date, the app's developers announced that the discontinuation would be delayed for another month. Now that it's August, Android users are no longer able to access the app, and...

Apple May Launch This Year's 'iPhone 12' Lineup in Two Stages, With 6.1-inch Models Debuting First

Monday August 3, 2020 3:14 am PDT by
Apple last week confirmed that its "‌iPhone‌ 12" launch will be delayed this year due to the ongoing global health crisis and restrictions on travel. Apple last year started selling iPhones in late September, but this year, Apple projects supply will be "available a few weeks later," suggesting a release sometime in October. We're expecting a total of four OLED iPhones in 5.4, 6.1, and...

Top Stories: Try the 5.4-Inch iPhone 12 Display Size, Blockbuster Earnings, Tim Cook at Antitrust Hearing

Saturday August 1, 2020 6:00 am PDT by
Another busy week of Apple news and rumors has wrapped up, with a lot of focus on Tim Cook's appearance at a Congressional antitrust hearing and a blockbuster earnings report. Subscribe to the MacRumors YouTube channel for more videos. We continued to hear rumors about the upcoming iPhone 12 lineup, including a rare admission from Apple that the lineup will launch "a few weeks later" than...

Just How Small Will the 5.4-Inch iPhone 12 Screen Be? Try It Out for Yourself

Tuesday July 28, 2020 12:57 pm PDT by
As rumors of the iPhone 12 have continued to build over the past few months, the one model that has the most excitement around it is the smallest 5.4" model. The iPhone 12 is believed to be coming in 5.4", 6.7", and 6.1" sizes. Dummy models have shown how much smaller the 5.4" is compared to the rest of the iPhone lineup. The upcoming 5.4" iPhone falls in-between the size of the original...

Unreleased iPod Touch with Mac Pro Glossy Black Finish Shared Online

Sunday August 2, 2020 11:32 am PDT by
Twitter user @DongleBookPro has today posted images of what seems to be a first-generation iPod Touch prototype with a 2013 Mac Pro-style glossy black finish. The Twitter user claims that the iPod Touch prototype pictured has "the same coating as the 2013 Mac Pro." Had the finish been selected for the final product, it also would have been similar to the metallic glossy black finish that...

Apple Confirms This Year's iPhone 12 Models Will Be a Little Bit Late

Thursday July 30, 2020 2:34 pm PDT by
During today's earnings call covering the third fiscal quarter of 2020 (second calendar quarter) Apple CFO Luca Maestri confirmed that Apple is expecting to release this year's iPhones later than usual. Maestri said that Apple last year started selling iPhones in late September, but this year, Apple projects supply will be "available a few weeks later." Multiple rumors have suggested that ...

Battery Likely for Upcoming Apple Watch Series 6 Filed in Certification Listings

Saturday August 1, 2020 5:46 am PDT by
A battery likely for the upcoming Apple Watch Series 6 has been filed at the Korea Testing and Research Institute and discovered by a Twitter user @yabhishekhd. Certification for a 1.17Wh battery with a capacity of 303.8mAh was issued on June 23 by the KTR, a Korean regulatory body that approves and tests new hardware ahead of public sale. The battery seems to be destined for a future...

Apple Watch Series 6 to Feature Blood Oxygen Monitoring Sensor

Friday July 31, 2020 1:56 am PDT by
The Apple Watch Series 6 will add blood oxygen monitoring to its features list when it's launched later this year, according to a new report from DigiTimes. Apple Watch 6 will feature biosensors that can monitor sleeping conditions, detect blood oxygen and measure pulse rates, heartbeats and atrial fibrillation, and will also incorporate MEMS-based accelerometer and gyroscope, all allowing the ...

Apple Marks Return of NHL With New 'Hockey Tape' Ad Shot on iPhone 11 Pro

Saturday August 1, 2020 2:33 am PDT by
Apple today marked the return of NHL hockey with a new "Shot on iPhone" ad on its YouTube channel in Canada. Titled "Hockey Tape," the 30-second video features Vegas Golden Knights players Marc-André Fleury and Mark Stone having some on-ice fun with the iPhone 11 Pro, which they attach to the boards, a hockey stick, and a skate with hockey tape. "See the game like never before with Ultra ...

Emails Reveal Why Steve Jobs and Phil Schiller Blocked In-App Purchase of Kindle Books

Friday July 31, 2020 6:25 am PDT by
Internal Apple emails, made public by the House Judiciary Committee's antitrust inquiry, have revealed information about why Apple blocked in-app purchases of Kindle books on iOS devices, reports The Verge. Two sets of emails between Steve Jobs, Phil Schiller, Eddy Cue, and various other senior Apple executives, disclose the exact thinking behind how Apple approached Kindle on iOS. The...