Site icon Sophos News

New Mac malware tries to hook your webcam up to the Dark Web

Mac malware is sufficiently rare, at least compared to Windows and Android, that new OS X malware strains often get a lot of attention.

That’s both good and bad.

It’s good, because it reminds us all that Macs aren’t magically immune to cybercriminality, and that basing your digital lifestyle on that assumption would be a risky strategy.

And it’s bad, because it tends to bring out extreme views, with one side saying that the fuss about Mac malware is no better than unwarranted exaggeration, and the other side accusing Mac users of being credulous fanbuoys (and gurlz).

Nevertheless, Mac malware is often technically interesting, and offers an intriguing insight into online cybercriminality.

So, we thought you’d enjoy an article about the recently-discovered OSX/Eleanor-A malware.

This malware shows how crooks who don’t know a lot about programming can nevertheless easily and cheaply construct devious attack tools from everyday components.

By the way, we’ve tried to be unjudgmental, and to leave you to decide for yourself how safe the Mac ecosystem is against cybercrooks.

OSX/Eleanor-A

Briefly summarised, OSX/Eleanor-A works like this:

The crooks used a free tool called Platypus to package all these components into a single application download that masquerades as EasyDoc Converter.

In other words, the crooks have used a bunch of free and non-malicious tools to construct a surprisingly interesting malware sample with just a few lines of Bash shell script to tie the pieces together.

The malware doesn’t need administrative privileges to run, so you won’t see any unexpected “enter your administration password” prompts.

What to look for

The app itself looks like this, and produces a simple-looking drag-and-drop window when you run it:

The Drop files here window doesn’t do anything; it serves merely as a decoy that you’ll probably drop a few documents onto before figuring out that the program doesn’t work as you expected.

The obvious next step is to close the app, drag it into the trash, and try another free converter app instead.

By this time, however, it’s too late, because the malware will already have created the following folder and files:

On Unix and Unix-like systems, including OS X, directories starting with a dot (also called a full stop or period) are hidden, so they don’t show up in the Mac Finder or even in a default file listing in a terminal window.

Even if you spot this hidden directory, the name .dropbox gives the files an aura of likely legitimacy.

(In the above list, conn is a copy of the Tor software that’s included in the malware app bundle; ego.php is a PHP admin shell known as “b374k”; and dbd is a copy of the PHP program from OS X’s own /usr/bin directory.)

The hidden background programs are kicked off as Mac services, known as LaunchAgents, using OS X’s launchctl program.

LaunchAgents are controlled by configuration files in the Library/LaunchAgents directory; the malware continues its Dropbox-flavoured disguise by creating these three plist files:

(The extension .plist is short for Property List, an XML-style file format that’s widely used by OS X applications.)

You can view plists with the command plutil -p, as we’ve done here:

How it works

The check_hostname script is component #3 listed above, and it’s responsible for exfiltrating the name of the Tor hidden service that the crooks need to access your Mac remotely:

The script works like this:

Because the crooks have embedded their Pastebin access keys into the script, potentially allowing other crooks to access the uploaded data and use it for free, they added the public-key encryption to shield the uploaded computer names from prying eyes.

If the upload succeeds, the exfiltration script, masquerading as com.getdropbox.dropbox.timegrabber, is no longer needed and removes itself.

Once the crooks know the name of your hidden Tor service, they can connect to it anonymously by using the Tor Browser.

Their Tor Browser connects to your hidden service over Tor’s “onion network”, and the copy of Tor running on your computer relays their traffic to the PHP admin shell:

The shell has a wide range of functions, including a file browser, a process manager, and a general-purpose terminal window where the crooks can run any command, just as if they had opened the Terminal app on your computer:

Peeking through your webcam

Above, we mentioned that the malware includes a copy of a free webcam control program called wacaw:

The good news, as far as we can tell, is that Wacaw is a rather old utility, and no longer works, at least on the latest version of OS X.

The bad news, however, is that the PHP admin shell makes it easy for the crooks to upload any other software they want, and thus to replace the old utility with a new one.

Additionally, the file shown above with the strange name deamon.php (the usual spelling is “daemon”, the common term for a background process on Unix) is a web-based remote control tool that supports the following commands:

What to do?

You’re unlikely to encounter this malware, and if you do download it and try to run it, you will see a warning like this one by default:

That’s because the app isn’t signed with a cryptographic key issued to a registered Apple developer, and OS X’s default security setting is as follows:

This doesn’t give you complete protection, of course, not least because crooks can acquire or steal developer keys and thus make their software look legitimate, at least until Apple revokes the offending key.

So, if you haven’t already, please consider using a real-time anti-virus on your Mac, even (or perhaps especially) if you have managed unharmed for years without one.

Sophos Home is 100% free, and protects both Macs and Windows computers on your home network.

Even if you never encounter any Mac-specific threats, a good OS X anti-virus will mop up any Windows nasties that your friends or family might bring near your beloved Mac…

…and friends don’t let friends go unwarned about malware!


Exit mobile version