Malware on Mac is pretty rare compared to Windows and Android, however, recently, a new type was discovered called “OSX/Eleanor-A”. With the OSX/Eleanor-A, even amateur hackers can land devastating attacks to the victims’ systems using the tools of the malware.
The OSX/Eleanor-A pretends to be a popular utility among Mac users called “EasyDoc Converter”. The original program’s function is to help Mac users read Windows files and vice versa.
The app is easy to install and try, however, in the background, it creates a hidden folder containing a bunch of programs and scripts. The files seem mostly harmless when considered individually, most of them are readily available as free tools. All of these components stay behind when you exit and uninstall the EasyDoc Converter “decoy” app. The OSX/Eleanor-A uses a system utility to set up these tools to run in the background. The programs are configured as OS X LaunchAgents, software components loading in the background when you log in.
One of the background applications is a copy of the Tor browser. The malware starts up the app not only to connect your computer to the anonymous Tor network, but to also advertise your computer to the dark web. The second program running in the background is a PHP administration script. OS X’s standard scripting tool is PHP and the malware uses the programming language to run the script so that your computer and your files can be accessed via a web browser. The malware connects the Tor network to the PHP admin script. This means that anyone who knows the name of the hidden service can take over your Mac remotely.
The third background program uploads the name of your hidden service to a Pastebin account. Your hidden service name is a unique, randomly chosen string of 16 characters that lets other Tor users connect to you. This application removes itself once its job is done.
Three utilities are included in the OSX/Eleanor-A; Netcat, a general-purpose tool for sending and receiving data over the network, Wacaw, a free command line tool for taking pictures and videos with your webcam and a PHP-based image browsing tool.
The malware writers used a free tool called Platypus to package all the components into a single application download that looks like and acts like as EasyDoc Converter.
An important thing to mention, the malware does not need administrative privileges to run, you won’t see any unexpected “enter your administration password” prompts.