Scary New OS X Malware Allows Hackers to Hijack Macs and Spy Using Webcams

Rafia Shaikh
Posted Jul 11, 2016
45Shares
Share Tweet Submit

Apple’s OS X is popularly considered immune to malware campaigns. While smaller in count when compared to Windows, Mac malware does exist. A security firm has revealed that Macs have been exposed to a new malware that offers attackers full control of infected devices.

Dubbed OSX/Eleanor-A by researchers, this new malware offers criminals a backdoor into OS X systems while disguising itself as a regular utility. Attackers have embedded a script into a fake file converter application that is offered on many “reputable sites offering Mac applications and software.” BitDefender Labs warned that this type of malware is dangerous because it’s harder to detect, and offers the attacker full control of the victim machine. “For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless,” warned Tiberius Axinte, Technical Leader at Bitdefender.

According to researchers this malware was found in the EasyDoc Converter app which poses as a drag-and-drop file converter application. Once downloaded, the app has no functionality. A user would naturally proceed to delete it, but the app manages to download malicious scripts onto the machine, creating a hidden folder that contains programs and scripts. Uninstalling EasyDoc doesn’t remove these programs that are left behind, and keep running in the background. Configured as the OS X LaunchAgents, these programs load in the background when a user logs in.

Mac malware connects infected machines to the Dark Web

Researchers also revealed that the background script also creates a hidden TOR service, allowing the attacker to “anonymously access the control-and-command center from the outside.” This component not only helps the malware connect the infected machine with Tor’s network, but also to advertise it to the Dark Web, offering “hidden services.” Another left-behind component is Web Service (PHP), which acts as the C&C center, giving the attacker full control over the infected Mac. Once authenticated with the correct password, attackers gain following controls:

File manager (view, edit, rename, delete, upload, download, and archive files)

Command execution (execute commands)

Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)

Shell via bind/reverse shell connect (remotely execute root commands)

Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)

Connect and administer databases

Process list/Task manager (access the list of processes and applications running on the system)

Send emails with attached files

Apart from the above, Mac malware also uses a tool to stealthily capture images and videos from the webcams. From anonymously connecting to the Dark Web, to gaining full access of your file system and capturing images and videos through the camera, Backdoor.MAC.Eleanor can create a lot of mess.

[Updated w/ Official Response] Shazam Is Always Listening on the Mac, Even When You Toggle It OFF

If you want to stay safe from these security nightmares, try to stick with the Mac App Store and identified and known developers when you have to download an app. You can also run a good security solution to make sure you are running a clean Mac.

Share Tweet Submit