The Mac Security Blog

Malware + Security News

New Dangerous Mac Malware Masquerades as File Converter App

Posted on by

Backdoor Eleanor Mac Malware

File converters are like email services. Everyone has a favorite, sometimes we use more than one, and we’re always looking for something better. But what if that file converter you just downloaded proves incapable of doing what it promises? Worse yet, what if it has more devious intentions? If you recently downloaded the EasyDoc Converter freeware, malicious attackers have tricked you into installing dangerous Mac malware.

Security researchers have discovered a nasty surprise hidden as a fake file converter application, called EasyDoc Converter, available on a number of download sites, that offers everything but what users expected. The EasyDoc Converter.app purports to be a drag-and-drop file converter, but in reality has no beneficial functionality – instead it simply downloads a malicious script.

The malicious app was available on the popular download site MacUpdate, but it has since been discontinued due to today’s malware news.

EasyDoc Converter malware

EasyDoc Converter is no longer available from MacUpdate.

The new Mac malware, identified by Intego VirusBarrier as OSX/Eleanor, is a serious threat and, if installed, can enable attackers to take full control of the compromised machine.

The scourge opens a backdoor on infected Macs and, according to researchers, can steal data, execute remote code and access the webcam, among other things.

“[It] silently installs a backdoor in the system that gives the attacker full access to the operating system, tofile explorer, shell execution, webcam image and video capture and more. […] The application looks like a file converter, where you can drop files, but it has no real functionality.”

If downloaded, executing the script “EasyDoc Converter.app/Resources/script” launches the application and begins the installation process.

The backdoor components are installed in the user’s directory:

~/Library/.dropbox

The malware also installs three agents, which are launched at each startup, in the user’s directory:

  1. The TOR hidden service (allows to access the backdoor web service).
~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist
  1. The php web service (the backdoor control panel).
~/Library/LaunchAgents/com.getdropbox.dropbox.usercontent.plist
  1. The PasteBin agent (used to store the unique TOR address of the controlled machine into pastebin.com).
~/Library/LaunchAgents/com.getdropbox.dropbox.timegrabber.plist

If you believe your machine is infected, you can verify the presence of the directory and files mentioned above.

How to protect yourself

The application does not include an Apple developer signature, and is therefore easy to prevent from installing on Macs. It’s a good idea to check your Mac’s security settings to ensure you only allow apps downloaded from the Mac App Store and identified developers.

To check these settings, go to System Preferences > Security & Privacy > General, and choose to allow apps downloaded from “Mac App Store and identified developers.” With this setting enabled, you can protect your Mac from OSX/Eleanor and from future attacks should they appear similarly in other software downloads.

Furthermore, Intego VirusBarrier with up-to-date malware definitions will detect and eradicate the fake file converter malware as OSX/Eleanor.