Recently Bitdefender found a new malware that installs backdoors into the Mac operating system which grants attackers full access to Mac Systems
. The malware has been called “Backdoor.MAC.Elanor” and has been discovered by researchers at Bitdefender security.
As we have already mentioned that we are dedicated to installing backdoors in the operating system so that the attackers may have full access, including user data or can take control of the webcam, execute arbitrary code and much more.
As a means of distribution used a false file conversion application known as EasyDoc Converter.app, which can be found in places widely used by Mac users when seeking applications to install, according to the Bitdefender security.
Initially, the researchers found it difficult to accurately determine the means by which infection occurs. Most likely, the backdoor
is distributed via spam messages, but it can also get on the system through applications downloaded from untrusted sources. As explained by the experts, one of the loader components distributed via ZIP-file.
As the ZIP-file contains the executable file in the Mach-O format, which disguised as a text or JPEG-file. However, at the end of the expansion, there is a space, when you double click on the “ZIP-file” the file opens it in the Terminal, and not in TextEdit or Preview as regular files. Since the Finder file manager identifies the icon of the executable file as a JPEG or TXT, the user is unlikely to suspect that something was wrong and are likely to open it.
The backdoor, packed with a modified version of the UPX, seeking persistence on the system, setting PLIST-file in the “/Library/LaunchAgents/(if available superuser) or $ USER” and “/Library/ LaunchAgents/ (without root access)”. The Icloudsyncd executable file is stored in the “Library/Application Support/com.apple.iCloud.sync.daemon directory”.
However, the Mac have an increased security step known as “Gatekeeper”, which is located in the System Preferences under Security & Privacy. By default, it prevents running any unsigned applications from the unidentified sources or developers. So, if you download an unsigned application from any unidentified source then the Mac App Store will try to run it, but, ultimately you will get a message that “stating the application cannot be opened”. Hence, the Gatekeeper would have blocked the malware, if it is enabled.