Bitdefender security experts have found a new malware family which opens a backdoor via the Tor network on Mac OS X systems.
The technical name of the newly-found threat is Backdoor.MAC.Eleanor, and its creators are delivering it to victims as EasyDoc Converter – a Mac app that allows users to convert files by dragging them over a small window.
According to Bitdefender, the application actually downloads and runs a malicious script which installs and registers at startup three new components: the Tor hidden service, a PHP Web service, and a Pastebin client. The Tor service will automatically connect the infected PC to the Tor network, and generate a .onion domain through which the hacker can access the victim’s system using only a browser.
The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the attacker’s control panel to the local Mac operating system. This is where the Pastebin agent intervenes because the agent takes the locally generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Cyber criminals can access the PasteBin link, and parse it for new entries to their botnet.
The experts from Bitdefender claim that Backdoor.MAC.Eleanor let criminals navigate and interact with the local filesystem, launch reverse shells to execute root commands, and launch and execute all kind of PHP, PERL, Python, Ruby, Java, or C scripts.
Apart from the above-mentioned, the hackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.
What actually happens is that the infected PC becomes a bot in the attacker’s botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware.
