Meet Eleanor, the Mac malware that uses Tor to obtain full access to systems

“The possibilities are endless” with this malware, claim researchers.

David bisson
David Bisson

Meet Eleanor. The Mac malware that uses Tor to obtain full access to systems

Researchers have spotted a new type of malware that uses the Tor anonymizing service to obtain full access to an infected Mac system.

The security team at Bitdefender Labs explain in a report that the malware, dubbed Backdoor.MAC.Eleanor, arrives at a Mac user’s doorstep as a seemingly innocuous drag-and-drop converter application called EasyDoc

Easydoc Convertor

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, the app doesn’t do anything that it says it does. Instead it executes a script that installs three components onto the Mac system.

The first component creates a Tor Hidden Service by which an attacker can connect to a backdoor on the infected machine via a Tor-generated address or “hostname.”

That backdoor, otherwise known as Web Service (PHP), is the installer’s second component. It provides the attacker with control over the infected machine via the use of a browser-based, authenticated control panel. Specifically, a bad actor can play around with a file manager, execute scripts and commands, send mail, and more.

Eleanor backdoor

But that’s not all the second component does. The research team at Bitdefender Labs, which developed a vaccine for several well-known crypto-ransomware families earlier in 2016, explains more in their report:

“The malware also has the ability to capture images and videos from the users’ webcams, using a tool found in ‘~/Library/.dropbox/utilities/wacaw’ ( This way,the attacker can view the image gallery…”


The third and final component installed by the script is a Pastebin agent. Each and every infected machine is given a unique Tor address. This agent uploads those addresses, which have been encrypted using RSA and base64, to

The first known infection of Backdoor.MAC.Eleanor first occurred back in April. Researchers are still looking into who might be behind those posts to the Pastebin site.

In the meantime, that bad actor can continue to use the malware to do whatever they want with an infected machine, as Tiberius Axinte, technical leader of Bitdefender Antimalware Lab, explains in a post:

“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system. For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.”

The fake converter app is not signed by Apple. With that in mind, users are urged to not install any applications onto their computers unless they come from reputable services. For added protection, users should consider installing an anti-virus solution onto their computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.