A newly discovered malware capable of cyber espionage and remote takeover is targeting Apple Mac computers, delivering its payload by opening up a backdoor connection to a command-and-control web server via the encrypted Tor network.
Named Eleanor (or Backdoor.MAC.Eleanor), the malware arrives disguised as a drag-and-drop file conversion application called the EasyDoc Converter.
The application is found on many credible third-party sites, according to an analysis from Bitdefender, whose security researchers uncovered the malware. The program is neither verified nor digitally signed by Apple.
In reality, the program's true purpose is far more malevolent, granting attackers a backdoor connection that allows them to manipulate files, execute commands and scripts (including at the root level), penetrate firewall defenses, administer databases, discover applications running on a machine, and send emails with attached files.
The malware also uses a webcam control panel tool to capture images and videos from built-in webcams, as well as a daemon agent that collects infection information, fetches and updates computer files, and executes shell scripts, Bitdefender said.
Such capabilities could easily allow attackers to silently spy on their victims or turn an infected device into a bot that spreads malware to additional machines.
This is possible because the malware secretly creates a backdoor in an infected Mac and installs a Tor hidden service that essentially connects the computer to a local server called Web Service, which acts as a C&C centre.
"Tor makes the localisation of the C&C and the actors behind it very difficult, mainly because of the unpredictability of the routing of the information," Alexandra Gheorghe, security specialist.at Bitdefender, said.
"It is mostly used in ransomware campaigns, point-of-sale malware and for botnet infrastructures, to guarantee C&C anonymity and make botnets more resilient against takedowns."
The Tor service is also designed to provide access to a Secure Shell (SSH) cryptographic service that would allow an adversary to "access the server from the open internet even if it's behind a firewall," Gheorghe said.
While the SSH service was not found on the sample user's machine during the researchers' analysis, "we believe it was placed there, to be added later," Bitdefender said.
Throughout the infection process, each individually infected computer is assigned a unique Tor address. These addresses are encrypted and subsequently stored on a Pastebin page for reference, the report stated.