New Backdoor Allows Full Access to Mac Systems – Bitdefender Security

By | July 8, 2016

Backdoor on Mac System

Security researchers team from Bitdefender has discovered a new critical malware affecting Mac OS X machines that grants attackers full remote access to the computer, as well as stealing data and hijacking the user’s webcam.

They have published a detailed report for the explanation, how it works with apple systems.

Researchers team from Bitdefender reported Backdoor.MAC.Eleanor within a malicious version of a popular free Mac OS X app called EasyDoc Converter. While the real app is meant to convert file formats into documents that can be read and opened with Microsoft Word, the fake app instead simply quietly downloads a malicious script when executed.

The script first checks for the presence of a firewall app called Little Snitch. If the app isn’t found, The script installs and registers the following components to system startup:

Tor Hidden Service

This component creates a Tor hidden service that allows an attacker to anonymously access the control-and-command center from the outside – a local web server dubbed Web Service (PHP) – via a Tor-generated address.

Web Service (PHP)

This component acts as the C&C  center and gives the attacker full control over the infected machine. The web service is set up locally and can be accessed through the “onion” address. After authenticating with the correct password, attackers gain access to a web-based control panel with the following abilities:

• File manager (view, edit, rename, delete, upload, download, and archive files)
• Command execution (execute commands)
• Script execution (execute scripts in PHP, PERL, Python, Ruby, Java, C)
• Shell via bind/reverse shell connect (remotely execute root commands)
• Simple packet crafter (probe firewall rule-sets and find entry points into a targeted system or network)
• Connect and administer databases
• Process list/Task manager (access the list of processes and applications running on the system)
• Send emails with attached files

According to security team, Every infected machine has a unique Tor address that the attacker uses to connect and download the malware. All the addresses are stored on pastebin.com using this agent, after being encrypted with a public key using RSA and base64 algorithms.

 

Dashboard

According to Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab.

This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system.For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.”

Subscribe for latest security updates