A new Mac malware has been getting a lot of press lately, dubbed Backdoor.MAC.Elanor (also spelled Eleanor on some sites) by the researchers that discovered it at Bitdefender. While this malware has a very malicious payload, the odds of seeing it in the wild are extremely small, likely infecting less than 100 total Macs in my opinion.
The only way a Mac could have been infected by Backdoor.MAC.Elanor was if the user manually downloaded an app named EasyDoc Converter specifically from macupdate.com between 3/16/16 and 7/5/16. This malware does not self-prorogate, it is not a virus, and falls into the Trojan Horse category.
Macupdate.com removed the download link to this fake app on 7/5/16 (labeling it as discontinued), the same day it was reported by Bitdefender as containing malware. From what I can tell EasyDoc Converter never was a real app, wasn’t made available on the Mac App Store, and I was unable to find it posted anywhere other than macupdate.com (despite what some other news stories claim). Only 117 downloads were tracked by macupdate.com before the download link was pulled.
Backdoor.MAC.Elanor was automatically blocked by Apple’s Gatekeeper system, included with OS X 10.7 and later, although savvy Mac users can bypass easily bypass Gatekeeper by changing a setting in the Security & Privacy system preference pane.
Apple has the ability to add Backdoor.MAC.Elanor to their XProtect definitions, however they may choose not to because so few Macs were potentially infected. XProtect is Apple’s built-in anti-malware system included with OS X 10.6 and later, and the XProtect definitions are updated by Apple automatically on a regular basis.
If you suspect that a Mac is infected by Backdoor.MAC.Elanor, look in the /Applications folder to see if there’s an app named EasyDoc Converter. If found, move to the trash and then run the free version of Malwarebytes for Mac to clean things up.
While I’m posting about macupdate.com, this is another ideal opportunity for me to remind everyone “Never download ANYTHING from macupdate.com!!”. If you want to download an app, either download it directly from the vendor’s website or through the Mac App store. Back in the day macupdate.com was a helpful site that I recommended to people, but they are now known to put adware wrappers on many of their popular app downloads. This means if you downloaded something from macupdate.com, there’s a good chance you inadvertently also installed adware like Genieo, Spigot, Conduit, and VSearch.