{"id":54286,"date":"2016-07-06T15:54:52","date_gmt":"2016-07-06T22:54:52","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=54286"},"modified":"2016-10-07T12:23:21","modified_gmt":"2016-10-07T19:23:21","slug":"eleanor-is-dangerous-mac-malware-that-can-steal-data","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/eleanor-is-dangerous-mac-malware-that-can-steal-data\/","title":{"rendered":"New Dangerous Mac Malware Masquerades as File Converter App"},"content":{"rendered":"

\"Backdoor<\/p>\n

File converters are like email services. Everyone has a favorite, sometimes we use more than one, and we\u2019re always looking for something better. But what if that file converter you just downloaded proves incapable of doing what it promises? Worse yet, what if it has more devious intentions? If you recently downloaded the EasyDoc Converter freeware, malicious attackers have tricked you into installing dangerous Mac malware.<\/p>\n

Security researchers have discovered a nasty surprise hidden as a fake file converter application, called EasyDoc Converter, available on a number of download sites, that offers\u00a0everything but what users expected.\u00a0The EasyDoc Converter.app purports to be\u00a0a drag-and-drop file converter, but in reality has no beneficial functionality \u2013 instead it simply downloads a malicious script.<\/p>\n

The malicious app was available on the popular download site MacUpdate, but it has since been discontinued due to today\u2019s malware news.<\/p>\n

\"EasyDoc

EasyDoc Converter is no longer available from MacUpdate.<\/p><\/div>\n

The new Mac malware, identified by\u00a0Intego VirusBarrier<\/a>\u00a0as\u00a0OSX\/Eleanor<\/strong>, is a serious\u00a0threat and, if installed, can enable attackers to take full control of the compromised machine.<\/p>\n

The scourge opens a backdoor on infected Macs and, according to researchers<\/a>, can steal data, execute remote code and access the webcam, among other things.<\/p>\n

\u201c[It] silently installs a backdoor in the system that gives the attacker full access to the operating system, tofile explorer, shell execution, webcam image and video capture and more. [\u2026] The application looks like a file converter, where you can drop files, but it has no real functionality.\u201d<\/p><\/blockquote>\n

If downloaded, executing the script \u201cEasyDoc Converter.app\/Resources\/script\u201d launches the application and begins the installation process.<\/p>\n

The backdoor components are installed in the user\u2019s directory:<\/p>\n

~\/Library\/.dropbox<\/p>\n

The malware also installs three agents, which are launched at each startup, in the user\u2019s directory:<\/p>\n

    \n
  1. The TOR hidden service (allows to access the backdoor web service).<\/li>\n<\/ol>\n
    ~\/Library\/LaunchAgents\/com.getdropbox.dropbox.integritycheck.plist<\/pre>\n
      \n
    1. The php web service (the backdoor control panel).<\/li>\n<\/ol>\n
      ~\/Library\/LaunchAgents\/com.getdropbox.dropbox.usercontent.plist<\/pre>\n
        \n
      1. The PasteBin agent (used to store the unique TOR address of the controlled machine into pastebin.com).<\/li>\n<\/ol>\n
        ~\/Library\/LaunchAgents\/com.getdropbox.dropbox.timegrabber.plist<\/pre>\n
        If you believe your machine is infected, you can verify the presence of the directory and files mentioned above.<\/p>\n
        How to protect yourself<\/h3>\n
        The application does not include an Apple developer signature, and is therefore easy to prevent from installing on Macs. It’s a good idea to check your Mac’s security settings to ensure you\u00a0only allow apps downloaded from the Mac App Store and identified developers.<\/p>\n
        To check these\u00a0settings, go to System Preferences<\/strong> > Security & Privacy<\/strong> > General<\/strong>, and choose to allow\u00a0apps downloaded from “Mac App Store and identified developers.”\u00a0With this setting enabled,\u00a0you\u00a0can protect your Mac from OSX\/Eleanor and from future attacks should they appear similarly in other software downloads.<\/p>\n
        Furthermore, Intego VirusBarrier<\/a>\u00a0with up-to-date malware definitions will detect and eradicate the fake file converter malware as OSX\/Eleanor<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"
        File converters are like email services. Everyone has a favorite, sometimes we use more than one, and we\u2019re always looking for something better. But what if that file converter you just downloaded proves incapable of doing what it promises? Worse yet, what if it has more devious intentions? If you recently downloaded the EasyDoc Converter […]<\/p>\n","protected":false},"author":4,"featured_media":54382,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,5],"tags":[30,2983,2980,86,2986],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n