Desktops (Apple) Security Apple EasyDoc Malware Adds Tor Backdoor To Macs For Botnet Control (theregister.co.uk)

Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. 

The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions.

 Instead it drops complex malware onto the system that subverts the security of the system, allowing it to be used as part of a botnet or to spy on the owner.

 "This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab. 

"For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. 

The possibilities are endless." The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. 

Once installed, the malware grants full access to the file system and can run scripts given to it by its masters.

A report on AppleInsider says that malware can also control the FaceTime camera on a victim's

computer.

But thankfully, Apple's Gatekeeper security prevents the unsigned app from being installed.

The backdoor is apparently being hidden away in a phony file converter utility that’s being distributed via major sites like MacUpdate, according to a report from 9to5Mac.

 EasyDoc Converter purports to be a legitimate piece of software, but offers no functionality beyond downloading the backdoor.

MacUpdate has now been alerted to the issue, and has removed download links to the utility and delisted it from its search results.

However, EasyDoc Converter is likely hosted on scores of different websites, and there could potentially be plenty of other fake pieces of software serving to distribute the backdoor.

***

 Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian.

 Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts. 

Salted Hash started digging around on this story after the email came to our attention. 

In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple." 

The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."

In a separate report, the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet.

While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.