July 6, 2016
Bitdefender security experts have found a new malware family which opens a backdoor via the Tor network on Mac OS X systems.
The technical name of the newly-found threat is Backdoor.MAC.Eleanor, and its creators are delivering it to victims as EasyDoc Converter – a Mac app that allows users to convert files by dragging them over a small window.
According to Bitdefender, the application actually downloads and runs a malicious script which installs and registers at startup three new components: the Tor hidden service, a PHP Web service, and a Pastebin client. The Tor service will automatically connect the infected PC to the Tor network, and generate a .onion domain through which the hacker can access the victim’s system using only a browser.
The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the attacker’s control panel to the local Mac operating system. This is where the Pastebin agent intervenes because the agent takes the locally generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Cyber criminals can access the PasteBin link, and parse it for new entries to their botnet.