Wednesday, July 6, 2016

Beware New Mac Malware: 'Backdoor.MAC.Eleanor'


[Updated: 2016-07-07 @1:50 am ET with additional references]

This malware should more properly be named OSX.Trojan.Eleanor.A. In the field, it is being called Backdoor.MAC.Eleanor by BitDefender LABS. It is being served up to victims at a number of websites, including apparently BEWARE!

I'll create my own write up about the malware as further details are available. For now, here are some excellent sources of information about Eleanor:

Bitdefender LABS

Backdoor.MAC.Eleanor Grants Attackers Full Access to Mac Systems
A. Description: 
- - The application name is EasyDoc, and its main functionality should be to convert documents, but it does anything but that. . . .

New Mac malware in the wild, Backdoor.MAC.Elanor – can steal data, execute code, control webcam

More about Eleanor from my colleague Thomas Reed over at Malwarebytes:

When the app is opened, it runs a shell script whose first task is to check for the presence of Little Snitch. . . . If LittleSnitch is not present, and if the malware has not already been installed, it then installs three LaunchAgents in the user folder plus a hidden folder full of executable files. All these items have names that attempt to make them seem like Dropbox components....
Interestingly, this app’s page on MacUpdate has ratings submitted by users between 2014 and March 26, 2016, all but one of which are 4.5 or 5 stars. Since this malware appears to have first “turned on” in April, I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors....
If you have Malwarebytes Anti-Malware for Mac, it will detect this malware as OSX.Backdoor.Eleanor.
I.E. the free Malwarebytes Anti-Malware for Mac already detects Eleanor. Use the link in the quote above.

And, Dan Goodin of Ars Technica posted an article about Eleanor as well as a couple other pests: Pellit and Keydnap. I'm waiting for more details about these last two before I bother writing about them.

~ ~

Keep in mind that such malware can have ANY name. Therefore, don't simply avoid 'EasyDoc Converter'. Watch out for ALL software that is not signed by an Apple approved developer via ANY source.

Safety Step: Verify that you at least have Apple's Gateway setup this way in System Preferences...: Security & Privacy: General:

IOW: Don't have 'Anywhere' selected. 
(If you're using macOS 10.12 Sierra, you won't even see 'Anywhere' available).

Until this malware is blocked by Apple, do NOT override Gateway and open unsigned software. 

IOW: If you have Gateway setup properly, you attempt to open something you downloaded and OS X protests that the software may be insecure, do NOT open it. Take the advice of OS X. This will keep you safe from the Eleanor malware. Set the questionable software aside until protection against Eleanor is provided by Apple via its XProtect system. I'll report when XProtect has been updated against Eleanor.

Further helpful information from Apple:

About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X



No comments:

Post a Comment