Researchers at cybersecurity firm ESET have discovered a previously unknown macOS malware that leverages cloud storage to spy on compromised devices.
The malware, which the team has dubbed CloudMensis, is a macOS backdoor that can exfiltrate keystrokes, documents, screen captures, and other data from an affected Mac. It can also list email messages and attachments and files from removable storage.
CloudMensis uses publicly available cloud storage systems — such as pCloud, Yandex Disk, and Dropbox — to communicate with its operators. It uses the names of months as directory names.
According to the security researchers, the very first Mac compromised by CloudMensis was attacked on Feb. 4, 2022. That suggests that the malware is a recent entry into the broader Mac ecosystem.
The malware has very limited distribution, however. That hints at a much more targeted operations, with researchers stating that the malware operators are picking specific targets that interest them.
At this point, it does not appear that the malware uses are zero-day vulnerabilities. Instead, it uses previously known flaws to bypass macOS mitigations. Because of that, a properly updated Mac should be relatively safe from the malware.
Once CloudMensis achieves code execution and administrative privileges, it runs another malware that retrieves a feature-rich second stage. That second stage has roughly 39 surveillance commands designed to collect information from compromised Macs.
"We still do not know how CloudMensis is initially distributed and who the targets are," said researcher Marc-Etienne Leveille. "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."
Who's at risk and how to protect yourself
Because the malware appears to be a targeted campaign, most Mac users are safe from CloudMensis. As noted by the ESET security researchers, keeping a Mac up-to-date is also an effective mitigation against the attack.
It's also a good idea to only download apps from sources that you explicitly trust, such as the Mac App Store.
2 Comments
No obfuscation generally means a lack of concern over subsequent identification of the coders. This might be a nation-state effort rather than a bunch of bored students.