It is a MacOS backdoor that spies on compromised Mac users using cloud storage services as a command and control channel to exfiltrate data
Researchers of ESET, a global European leader in the cybersecurity market, they discovered a previously unknown macOS backdoor, which spies on Mac compromised users and uses only public cloud storage services to communicate with its operators. The malware, called CloudMensis from ESET because it uses the names of the months to classify the directories, has features that clearly show the intent of hackers or the collection of information from the Macs of the victims through the exfiltration of documents and sequences of keys, the list of e-mail and attachment messages, of files present in removable archives and images of screens.
CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation. According to ESET Research, the operators of this malware family distribute Cloudmensis on specific objectives of their interest. The use of vulnerability to circumvent macOS mitigations shows that hackers actively try to maximize the success of their espionage operations. At the same time, the zero day vulnerabilities used by this group were not detected during the research. Therefore, the use of updated Macs is advisable to avoid at least any protection of protection.
"We do not yet know how CloudMensis has been initially distributed and what the objectives are. The general quality of the code and the lack of clouding show that the authors may not be very familiar with the development of Mac and they are not so expert. Nonetheless, many resources have been used to make CloudMensis a powerful espionage tool and a threat to potential objectives", explains Marc-Etienne. Léveillé, EST researcher who analyzed Cloudmensis.
Once the execution of the code and the administrative privileges is obtained, CloudMensis performs a first stadium of the malware that opens the doors to a second level richer in functionality through a cloud storage service.
This second stage is a much more full -bodied component, equipped with a series of functions capable of collecting information from Mac compromised. The intent of the attackers is clearly to exfiltrate documents, screenshots, e-mail attachments and other sensitive data. Overall, 39 commands have been identified.
CloudMensis uses the cloud storage both to receive commands from its operators and to exfilt the files. It supports three different providers: PCloud, Yandex Disk and Dropbox. The configuration included in the sample analyzed contains authentication token for PCLoud and Yandex Disk.
The metadata of the cloud storage services used reveal interesting details on the operation, for example that he started transmitting controls to bots starting from February 4, 2022.
Apple recently recognized the presence of spyware that target users of its products and is previewing Lockdown mode on iOS, iPados and MacOS, which disable the functions often exploited to obtain the execution of code and distribute malware.
For more information about the techniques used by CloudMensis, see the blogpost "I see what you did there: a look at the CloudMensis macOS spyware”On WeliveSecurity. Make sure you follow ESET Research su Twitter For the latest news of Entes Research.
