Malware Uses Tor for OS X Backdoor

Thursday, July 7, 2016 @ 03:07 PM gHale


A new type of malware opens a backdoor via the Tor network on Mac OS X systems.

The malware’s technical name is Backdoor.MAC.Eleanor, and currently, its creators are distributing it as EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window, said researchers at Bitdefender.

RELATED STORIES
Updated Tor Browser Releases
Exploit Kit Hides with Tor
Hacking Costs on Decline
Patching Tool Under Scrutiny

In reality, the app only downloads and runs a malicious script that installs and registers at startup three new components: The Tor hidden service, a PHP Web service, and a Pastebin client, Bitdefender researchers said.

The Tor service will automatically connect the infected computer to the Tor network, and generate an .onion domain through which the attacker can access the user’s system using only a browser.

The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the attacker’s control panel to the local Mac operating system.

Here is where the Pastebin agent intervenes because the agent takes the locally-generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Attackers can access this PasteBin link, and parse it for new entries to their botnet.

Bitdefender researchers said Backdoor.MAC.Eleanor allows criminals to navigate and interact with the local filesystem, launch reverse shells to execute root commands, and launch and execute all kind of PHP, PERL, Python, Ruby, Java, or C scripts.

Additionally, the attackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.

The infected computer basically becomes a bot in the attacker’s botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware.