New OS X Backdoor Provides Restricted Access
Backdoor.MAC.Eleanor is the malware, dubbed by Bitdefender researchers which can be used for cyber-espionage and abuses Tor (The Onion Router) network for communication and control purposes. Moreover, security researchers discovered that every infected machine has a unique Tor address and that the attacker uses it to connect and download malware.
The backdoor is embedded into a fake file converter application that is accessible online on reputable sites offering Mac applications and software. The EasyDoc Converter.app poses as a drag-and-drop file converter, but has no real functionality. It simply downloads a malicious script which can be used as a backdoor to remotely exploit the infected systems. The backdoor provides the attacker with full access to the operating system, to file explorer, shell execution, webcam, and other resources, Bitdefender researchers explain in a new report.
Tor Hidden Service
This component creates a Tor hidden service that allows an attacker to anonymously access the control-and-command center from the outside – a local web server dubbed Web Service (PHP) – via a Tor-generated address.
Web Service (PHP)
This component acts as the C&C center and gives the attacker full control over the infected machine. The web service is set up locally and can be accessed through the “onion” address. After authenticating with the correct password, attackers gain access to a web-based control panel with the following abilities:
• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/Task manager (access the list of processes and applications running on the system)
• Send emails with attached files
The malware uses a tool named “wacaw” to capture images and videos from built-in webcams. It also uses a daemon to grab updates and fetch files from the user’s computer or execute shell scripts.
Every infected machine has a unique Tor address that the attacker uses to connect and download the malware. All the addresses are stored on pastebin.com using this agent, after being encrypted with a public key using RSA and base64 algorithms.
Bitdefender researchers managed to pinpoint April 19 as the date when the first infection info was uploaded to pastebin.com, which suggests that Eleanor is rather new. However, since the analyzed sample used a pastebin.com user limited to 25 uploads, the researchers couldn’t deduce the number of infected machines, because different samples might use different users and some of them might upload more than 25 entries.
“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system,” says Tiberius Axinte, Technical Leader, Bitdefender Anti-malware Lab. “For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.”