A newly discovered malware strain for Macs, dubbed “CloudMensis,” has begun making the rounds and seems to have located a previously unknown macOS backdoor that could be used to spy on users with compromised Macs.
Discovered by the cybersecurity firm ESET, the malware has been named CloudMensis due to the way it utilizes cloud storage services. The company discovered the first Mac was compromised Feb. 4, 2022.
The malware uses public cloud storage services to communicate with its operators. Reports from ESET have noted that the intent of the operators is to gather information from Mac victims via exfiltrating documents and keystrokes, listing email messages and attachments and listing files from removable storage and screen captures.
Marc-Etienne Léveillé, an ESET researcher, believes the operators may not have a firm understanding of Mac development.
ESET researcher Marc-Etienne Léveillé offered the following statement as to the creators, their background, and what their intentions might be:
We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.
Reports have also suggested that this malware is a targeted operation and seems to have limited distribution so far. ESET has also expressed the idea that operators of this malware family utilize CloudMensis against specific targets that may be of interest to them.
In addition to gathering information, CloudMensis also aims to gain control of your Mac’s code execution and administrative privileges. To accomplish this, it runs a first-stage malware that retrieves more features from a second stage in thanks to a cloud storage service. The software also uses cloud storage services such as pCloud, Yonder Disk, and Dropbox to receive commands and exfiltrate files.
Should the malware reach its second stage, there are 39 commands it has access to, all with the intent of harvesting as much information as possible from compromised Macs. Research have stated that here the attackers have attempted to exfiltrate documents, screenshots, email attachments and other sensitive data.
Apple has yet to offer an official comment as to CloudMensis, but for the time being, make sure your Mac is up to date with its operating system software, you’ve installed the latest security updates, and any malware prevention software you use has also been updated.
Stay tuned for additional details as they become available.
Via The Mac Observer and ESET