A previously unknown macOS malware that appears to have been used in targeted attacks to steal sensitive information from infected devices has been examined by researchers at cybersecurity firm ESET.
ESET has classified the new malware, known as CloudMensis, as both spyware and a backdoor. The malware was created in Objective-C and is intended to attack computers with Apple or Intel processors.
Although the method of distribution of the spyware is unknown, the fact that it has only appeared in a small number of attacks since February raises the possibility that threat actors have only deployed it on the systems of certain victims as part of a targeted attack.
A previously unidentified backdoor in macOS has been found and is currently being used in the field to spy on Mac users.
The new malware was first identified by experts at the cybersecurity company ESET and has been given the name CloudMensis. According to ESET, CloudMensis can exfiltrate documents and keystrokes, list email messages and attachments, list items from removable storage, and capture screenshots, proving that its designers intended it to collect information from victims’ Macs.
Although CloudMensis poses a threat to Mac users, its extremely restricted dissemination raises the possibility that it is intended to be utilised as a part of a deliberate operation. According to what the experts at ESET have so far noticed, the malware is used by the hackers to target particular users who are of interest to them.In a press statement, ESET researcher Marc-Etienne Léveillé offered more details on his examination of CloudMensis, stating:
“We still don’t know who the targets are or how CloudMensis is initially delivered. The writers may not be extremely experienced in Mac development as seen by the generally high calibre of the code and lack of obfuscation. However, a lot of effort went into making CloudMensis a potent eavesdropping device and a threat to potential targets.
Utilising cloud storage services to gather data
The way CloudMensis makes use of cloud storage facilities to expand its capabilities is one feature that sets it unique from other malware families.
According to ESET, once code execution and administrative rights have been obtained on a compromised Mac, the malware runs a first-stage infection that requests a second stage with more features from a cloud storage provider.
The second stage is a considerably bigger part with many of tools to gather data from the hacked Mac. Although there are presently 39 commands accessible, the second stage of CloudMensis is designed to exfiltrate documents, screenshots, email attachments, and other data from victims.
CloudMensis employs cloud storage to exfiltrate files as well as to accept instructions from its operators. Currently, it supports three different providers: pCloud, Yandex Disk and Dropbox.
It appears that the operation started sending commands to bots from the start of February of this year, according to metadata from cloud storage providers utilised with the malware.
Rescue with Lockdown Mode, but not yet
When iOS 16, iPadOS 16, and macOS Ventura are released this autumn, Apple’s new Lockdown Mode for iPhones, iPads, and Macs will help users of the company’s devices avoid becoming infected with malware.
By limiting many of the capabilities typically utilised by cybercriminals to acquire code execution and install malware, Lockdown Mode is able to stop these kinds of infestations.
The best thing you can do right now to defend yourself from it is to make sure your Mac and other Apple devices are running the most recent software, as neither zero days nor undisclosed vulnerabilities were discovered to have been utilised by the people behind CloudMensis in ESET’s study.
Mean while Apple
Apple is aiming to make it harder to criticise its products. The technology behemoth has unveiled an operating system Lockdown Mode that should give users of iOS, iPadOS, and macOS further defence against state-sponsored mercenary spyware.
Malware for macOS is always developing. In 2021, eight new malware families appeared, including the ElectrumStealer, SilverSparrow, XcodeSpy, WildPressure, XLoader, ZuRu, and CDDS families (aka MacMa).