New Malware lets attackers take full control of Mac OS X
If evidence of ransomware targeting Mac users weren’t bad enough, a new piece of malware was recently added to a growing list of cyber threats that seem to have a specific focus on Mac OS X.
The malware, named Backdoor.MAC.Eleanor by BitDefender Antimalware Lab’s researchers, under the supervision of technical leader Tiberius Axinte, is not only hard to detect, but it allows an attacker complete control over Mac OS X, including the ability to obtain a live video and audio feed using a Mac’s integrated hardware, like the camera on a MacBook.
Backdoor.MAC.Eleonor presents some eerie similarities to “Back Orifice”, or “BO”, a much older application dating back to 1998, and drafted by Sir Dystic, a member of the hacker group Cult of the Dead Cow.
BO was initially developed to demonstrate security vulnerabilities in Microsoft Windows 98, and then later evolved into an accessory to malware, and the instrument of choice for “script-kiddies” looking to target computers by binding shareware programs with BO’s server program, using tools such as SilkRope, to effectively create trojan horses that would deliver and activate the BO server as a hidden payload. In turns, the server would establish a connection with a convenient graphical client application.
Once a connection was made, an attacker could gain complete control of the target computer, including accessing, downloading and uploading files, running applications, control display properties, manage hardware resources, and even use the target computer as a botnet to hit other computers.
That was 1998, but in 2016 there are a few more variables to take into consideration. While in 1998 it would have been sufficient to block port 31337, or install a decent security suite to neutralize BO, today secure and untraceable connections can be create easily, and transparently, using Tor, the favorite method of communication used by criminals to take ransomware payments.
Backdoor.MAC.Eleanor makes effective use of the Tor network to establish a connection between a Mac and a hacker’s device, at which point the Mac is completely at the mercy of the hacker in much of a similar way as BO’s, only more effectively and unobtrusively.
First evidence of the malware was found in a fake app called EasyDoc Converter, an application disguised as a drag-and-drop file converter.
The app is not digitally signed by Apple, which is why BitDefender’s researchers recommend to enable Gatekeeper to ensure that only apps that are digitally signed and downloaded from the Mac App Store are installed.