How to find out if your Mac is infected with Backdoor.MAC.Eleanor

A new piece of malware targeting Macs was discovered this week. It's called Backdoor.MAC.Eleanor and here's everything you need to know about it and keeping your Mac safe.

On Tuesday, Bitdefender announced its researchers had discovered new malware that's targeting Macs. The malware is referenced as Backdoor.MAC.Eleanor and it's capable of fully compromising your system. With the malware present, attackers can steal files, control your webcam, execute code and more.
So how does it work, how do you know if you're affected and what should you do if you are?

How the malware infects Macs

Hackers often look for exploits with the least resistance, and in many cases that's the unknowing user.
This backdoor is no different. It comes packaged inside what appears to be a legitimate file converter application, called EasyDoc Converter. However, the application doesn't actually work. Once installed, it runs a malicious script which installs a Tor hidden service, allowing attackers to remotely access and control the infected machine. This script sets up a web service which gives attackers the ability to manipulate files, execute commands and scripts, access a list of running processes and applications and send emails with attachments.
The malware also uses a tool called "wacaw," which allows an attacker to capture videos and images using the built-in webcam.
Using this software, Bitdefender warns an attacker could "lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."

How to know if your Mac is infected

There is some good news, however. Seeing as the malware has only been found packaged in the EasyDoc Converter application, you have to download the application, install it and run it for your machine to have been affected.
Macs have an extra security step called Gatekeeper, which is located in System Preferences under Security & Privacy. By default, it stops unsigned applications from unidentified developers from running. If you download an unsigned application from outside the Mac App Store and try to run it, you will be met with a prompt stating the application cannot be opened.
If you downloaded the application, assuming you don't have Gatekeeper disabled, this prompt would have appeared when you tried running the application. To open the app, you would have to deliberately override the security settings to run the application the first time.
So if you never downloaded the application and/or didn't bypass Gatekeeper settings to run it, your Mac is not infected with the Backdoor.MAC.Eleanor malware.
On the other hand, if you did either, your Mac is may likely infected.

How to get rid of it

If you still have access to your Mac, you're in luck. Malwarebytes and Sophos have already been updated to detect Backdoor.MAC.Eleanor, and any anti-virus software that scans for malware should soon follow suit. To rid your Mac of the malware, download the Malwarebytes Anti-Malware application for Mac or Sophos Home, run a scan immediately and delete any associated files.
To avoid instances like this in the future, ensure Gatekeeper settings are set to only allow applications from the Mac App Store and identified developers. If you need to install an application from an unknown developer, be certain that it's from a trusted source.
Also, consider using an application like BlockBlock to detect the installation of any persistent software. This is not necessarily malware detection, but can help point out applications with components that shouldn't be there. Pair this with a periodic scan with Malwarebytes and more caution when downloading applications from untrustworthy sources and your Mac should remain free of malware.