After the first ever example of Mac ransomware was found in the wild earlier this year, Bitdefender Labs has found what it tells us is only the second example of true Mac malware to enter circulation this year, which it has dubbed Backdoor.MAC.Elanor. The malware application was available on a number of (formerly?) reputable download sites such as MacUpdate.
The backdoor is embedded into a fake file converter application that is accessible online on reputable sites offering Mac applications and software. The EasyDoc Converter.app poses as a drag-and-drop file converter, but has no real functionality – it simply downloads a malicious script.
This is a nasty backdoor that can steal data, execute remote code and access the webcam, among other things …
Bitdefender explains that the malware that was discovered within the application titled EasyDoc Converter would install a Tor hidden service, a web service, and a Pastebin agent to each infected system. Technical lead Tiberius Axinte says that there is no real limit to what the Backdoor.MAC.Elanor malware can do.
The good news is that the malicious app is not signed by an Apple Developer ID, so as long as you have your Mac set only to open apps from the Mac App Store or known developers, it won’t open. It does, though, emphasize the importance of exercising caution even when downloading apps from reputable sites.
This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system. For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.
Bitfender has promised more technical details of the malware later this morning. The full report from Bitdefender is available now.
Update 07/06/2016 11:00 AM PDT:
- Removed paragraph incorrectly stating Thomas Reed’s involvement in reporting Bitdefender’s malware discovery to MacUpdate. Thomas Reed had written a blog post last year in regards to a tweet mentioning MacUpdate installing what he considered “adware”.
- Added paragraph explaining what is installed with the previously available malware.