What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

EasyDoc-ConverterInternet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers.

What is Backdoor.MAC.Eleanor?

Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter.

What is EasyDoc Converter?

"EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:

EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.

EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store.

The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts.

How is Backdoor.MAC.Eleanor distributed?

Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious script that is registered to system startup and allows an attacker to anonymously access the infected Mac.

How does Backdoor.MAC.Eleanor put my Mac at risk?

Backdoor.MAC.Eleanor creates a Tor hidden service that provides attackers with full anonymous access to the infected Mac remotely through a PHP-based local web server dubbed Web Service – via a Tor-generated address.

Backdoor-EasyDoc
Attackers then have the ability to access and modify files, execute shell commands, capture images and videos from iSight or FaceTime webcams, and more through a web-based control panel:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/task manager (access the list of processes and apps running)
• Send emails with attached files

What is a Tor hidden service?

Tor is free software that allows for anonymous communication over a computer network, known as onion routing. The software essentially re-routes network traffic through a network of computers so that it cannot be traced back to its source IP address, allowing users to browse the internet without being identified.

Tor hidden services are websites or servers configured to accept inbound connections only when they are routed through the anonymity network. A hidden service is accessed through its "onion" address, such as XXXpaceinbeg3yci.onion, which the attacker can connect to to gain remote control of the infected Mac.

Which Macs are affected?

MacUpdate listed EasyDoc Converter's system requirements as Intel-based Macs running OS X 10.6 (Snow Leopard) or later. OS X Snow Leopard is compatible with Macs that have at least 1GB of RAM and 5GB of free disk space.

Backdoor.MAC.Eleanor is thereby capable of infecting mid 2007 or newer MacBook models, all MacBook Air and MacBook Pro models, mid 2007 or newer Mac mini and iMac models, and all Mac Pro models.

Identify your Mac model by clicking on the Apple logo in the top-left macOS menu bar and selecting "About This Mac."

How do I protect myself against Backdoor.MAC.Eleanor?

The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unfamiliar apps from unidentified developers is almost always a security risk.

Apple's default Gatekeeper security settings already prevent EasyDoc Converter from opening, unless you ignore the warning dialog and proceed to manually open the app under System Preferences > Security & Privacy.

Mac users can also download a trusted anti-malware app such as BlockBlock, which continually monitors common persistence locations and displays an alert whenever a persistent component is added to the system.

Users that already installed EasyDoc Converter can download anti-malware software Malwarebytes, which has already been updated to detect and remove Backdoor.MAC.Eleanor.

How will Apple deal with this malware?

Apple will likely update its "Xprotect" anti-malware system to block EasyDoc Converter.

Top Rated Comments

GenesisST Avatar
77 months ago
It's an OS X virus not Mac OS if we're honest ;)
And not even a virus
Score: 14 Votes (Like | Disagree)
Glassed Silver Avatar
77 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Lucky you if your computer usage gets by using only App Store applications.

Then again, eventually I decided to use the MAS more as a means to find applications and then get them from the company's own website.
Often you can snatch them up cheaper (for example EDU discounts) and the applications are more capable.

Glassed Silver:mac
Score: 12 Votes (Like | Disagree)
RDeckard Avatar
77 months ago
"The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source."

Easy enough.

Let's see how much press this gets vs. "HummingBad" malware that's infected millions of Android handsets.
Score: 11 Votes (Like | Disagree)
Derekeys Avatar
77 months ago
Sooooo... don't download stuff that isn't from the App Store. Check and check.
Score: 10 Votes (Like | Disagree)
sir1963nz Avatar
77 months ago
MacUpdate being used to distribute malware yet again....People need to stick with the App Store. I think at this point we should assume anything downloaded from MacUpdate probably has malware of some sort.
The fact that MacUpdate send you their updater App NOT the file you asked for killed MacUpdate for me.
ANY system that does this is a malware site and can no longer be trusted.

If you are forced to use MacUpdate, ALWAY click the link to download from the developers site so MacUpdate can not try to install their software.
Score: 8 Votes (Like | Disagree)
dwaltwhit Avatar
77 months ago
But will it really convert my documents?
Score: 6 Votes (Like | Disagree)

Popular Stories

RIP iPod Feature

RIP iPod: A Look Back at Apple's Iconic Music Player Over the Years

Friday May 13, 2022 2:25 pm PDT by
Apple earlier this week announced the discontinuation of the iPod touch, and because it was the last iPod still available for purchase, its sunsetting effectively marks the end of the entire iPod lineup. To send the iPod on its way, we thought it would be fun to take a look back at some of the most notable iPod releases over the last 21 years. Original iPod (2001) Introduced in October...
iOS 16 mock for article

Gurman: iOS 16 to Include New Ways of System Interaction and 'Fresh Apple Apps'

Sunday May 15, 2022 6:14 am PDT by
iOS 16 will include new ways of interacting with the system and some "fresh Apple apps," Bloomberg's Mark Gurman has said, offering some more detail on what Apple has in store for the upcoming release of iOS and iPadOS set to be announced in a few weeks at WWDC. In the latest edition of his Power On newsletter, Gurman wrote that while iOS 16 is not likely to introduce a major face-lift to...
14 16 inch 2021 mbps back to back feature orange

Five Things You Still Can't Do With a MacBook Pro

Wednesday May 11, 2022 11:16 am PDT by
It's been over 200 days since Apple debuted its redesigned MacBook Pro lineup. Offered in 14-inch and 16-inch display sizes, the new-look MacBooks wowed Apple fans and creative pros alike with their powerful custom Apple silicon, mini-LED screen, and multiple connectivity options. But there are still some things you can't do with a MacBook Pro. Here are five features some Mac users are still...
iOS 16 mock for article

Which Devices Will iOS 16 and iPadOS 16 Support?

Thursday May 12, 2022 7:29 am PDT by
While there are as yet no concrete rumors related to which devices iOS 16 and iPadOS 16 will support, the discontinuation of the iPod touch earlier this week may be an indication that as many as nine devices could be about to lose support for Apple's upcoming operating systems. iOS and iPadOS 13, 14, and 15 support all of the same devices, with the iPhone 6S and iPhone 6S Plus,...
apple mac ipad watch trade in

Apple Launches Limited-Time Bonus Trade-In Credit for iPhone, iPad, Mac, and Apple Watch in Many Countries

Wednesday May 11, 2022 5:14 am PDT by
Apple has launched a special limited-time offer for iPhone, Apple Watch, Mac, and iPad trade-in that offers customers additional credit when trading in their only device for a new one. The offer is being run in several countries including the US, UK, Germany, Spain, Italy, South Korea, Japan, Taiwan, China, India, and France. In the UK, Apple is offering up to £50 of extra trade-in credit...
sony

Sony Unveils Redesigned WH-1000XM5 Headphones With Improved Noise Cancelation

Thursday May 12, 2022 9:26 am PDT by
Sony's flagship WH-1000XM4 noise-canceling headphones have been among the best on the market for some time, and today Sony announced its fifth-generation WH-1000XM5 headphones, boasting a new design and several improvements over the previous model. The redesigned headphones replace the shrouded arms that swivel on the XM4's with an exposed arm that has a single contact point at the earcups,...
apple tv 4k design clue

Kuo: New Apple TV to Launch in Second Half of 2022, Lower Price Possible

Friday May 13, 2022 7:58 am PDT by
Apple plans to launch a new version of the Apple TV in the second half of 2022, according to well-known analyst Ming-Chi Kuo. In a tweet today, Kuo said the new Apple TV will have an improved cost structure, suggesting that the device could have a lower price that is more competitive with other streaming media players like Google's Chromecast line, Amazon's Fire TV line, and the Roku line. ...
iPhone 14 Purple Feature

Full Range of iPhone 14 Color Options Revealed by Purported Leak From China

Wednesday May 11, 2022 2:20 am PDT by
The iPhone 14 and iPhone 14 Pro models will be available in a refreshed range of color options, including an all-new purple color, according to a recent rumor. The claim comes from a post on Chinese social media site Weibo by an unverified source and purports to reveal the full range of color options for Apple's upcoming iPhone 14 and iPhone 14 Pro models. Compared to the selection of color...