Mac Malware Reading Time: 2 minutes

The latest malware to hit Mac operating systems is the EasyDoc Converter. Cyber security experts have discovered this dangerous Mac malware on reputed online websites offering applications and software for the Mac OS. If Mac users still believe that their systems cannot get infected then they better get wary now.

Backdoor trojan

The EasyDoc Converter poses to have the ability to convert files; however, the malicious EasyDoc Converter does not do any conversion or any other genuine function. It is a script that contains an embedded backdoor malware, which has been designated as Backdoor.MAC.Eleanor. This Mac malware allows attackers to gain complete access of the operating system, the webcam, shell execution and the file explorer.

The cyber criminals have employed the tool Platypus to create the malicious app. When the malicious app runs it displays a screen typical to a drag-and-drop file converter, but it lacks any functionality. The malware installs a number of malicious components in the startup of the computer – a Tor Hidden Service, Web Service (PHP), and a PasteBin Agent.

The Tor Hidden Service: This Hidden Service component enables access to the Web Service (PHP). The Tor creates a new public/private key pair and a “hostname” file. This hostname utilizes the Web Service(PHP) component to completely control the system. Two local services are accessed by the hidden service – a SSH service and a web service.

Web Service(PHP): The infected startup configuration allows the cyber criminal to gain control of the machine. It listens to a specific port and this service has 3 main components – a main control panel, WebCam Control Panel, and an Agent.

The main control panel is password protected and allows the cyber criminal to perform certain critical unauthorized activities – execute commands, execute scripts, send mails with attachments, access Task Manager, access the process list, convert strings, and connect to DBMS systems.

The Mac Malware gains control of the webcams connected to or those that are part of the system. This allows it to capture videos and images and also views images in the gallery app of the system.
The Agent component helps the cyber criminal to execute shell scripts and acquire files including videos and images on the computer.

The cyber criminals control each infected machine by using a unique Tor address for each system. And then using the PasteBin Agent, the unique addresses are stored at the website. This is a website that allows storing of text for online sharing of data. Furthermore, these TOR addresses are not easily visible as they are encrypted.

How to protect against Mac Malware?

  1. Install apps only from Apple store or other reputed stores.
  2. Check the publisher
  3. Install an effective antivirus that uses default-deny technology, auto-sandboxing containment and real-time antivirus scanning.
  4. Be prudent when downloading apps.
  5. Keep Mac OS and the antivirus solution updated.

Following the above listed precautions will help fend off many new and advanced malwares.