New Mac malware can open a backdoor into your system

Bitdefender Labs has announced the detection of new Mac malware, dubbed Backdoor.MAC.Eleanor, which can bypass built-in security in current versions of macOS including El Capitan, and make your Mac vulnerable to a wide range of exploits.

In its current form, you have to download a fake file converter named EasyDoc When you open that app, it does not do what it promises, but runs scripts to install a backdoor which can give the attacker access to macOS, command shell script execution, webcam capture, and more.

The script which it runs first has been built using a tool for creating apps from scripts, named Platypus (and a very good and useful tool this is, too). This script checks to see if Little Snitch is installed, and will abort if it is found. However Little Snitch has its own security concerns, so I would not recommend it as protection against this.

Once it is ready to install, it adds three services to ~/Library/LaunchAgents, each of which is a property list (.plist) whose name starts with com.getdropbox.dropbox. It also installs components to create a Tor hidden service, a PHP Web service, a main control panel, a webcam control panel, and a couple of agents.

Patrick Wardle (to whom thanks for drawing this to my attention) advises that this is detected by, and easily blocked by, his free utility BlockBlock.

I suggest that you:

  1. check your ~/Library/LaunchAgents folder for files starting with com.getdropbox.dropbox
  2. avoid downloading any suspect apps, particularly anything named EasyDoc Converter
  3. download, install, and use BlockBlock or another effective tool.