Researchers from ESET, Europe’s leading security vendor, have discovered a previously unknown macOS backdoor that spies on compromised Mac users and exclusively uses public cloud storage services to communicate with its operators. Named CloudMensis by ESET, its features make it clear that operators’ intention is to gather information from victims’ Macs by exfiltrating documents and keystrokes, listing emails, attachments, and files on storages. removable, and taking screenshots.

CloudMensis is a threat to Mac users, but its very limited distribution suggests it is being used as part of a targeted campaign. From what ESET Research found, operators of this malware family deploy CloudMensis on specific targets that are of high interest to them. The use of vulnerabilities to bypass macOS mitigations shows that malware operators are actively trying to maximize the success of their espionage campaigns. According to our research, no unknown (zero day) vulnerabilities are used by this group of hackers. It is recommended to use an up-to-date Mac to avoid, at least, the mitigations being circumvented.

“We still don’t know how CloudMensis is initially released and who the targets are. The overall quality of the code and the lack of obfuscation shows that the authors may not be experienced Mac developers and not that advanced. Nevertheless, a lot of resources have been invested to make CloudMensis a powerful spy tool and a threat to potential targets,” explains Marc-Etienne Léveillé, researcher at ESET who analyzed CloudMensis.

After CloudMensis is granted administrator and code execution privileges, a first malware is launched to fetch a second, more feature-rich module from a cloud storage service.

This second stage is a much larger component, with a number of features to collect information about the compromised Mac. The attackers’ intent here is clearly to exfiltrate documents, screenshots, email attachments and other sensitive data. A total of 39 commands are currently available.

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

The malware, codenamed CloudMensis by the Slovak cybersecurity company ESET, would exclusively use public cloud storage services such as pCloud, Yandex Disk and Dropbox to receive commands from attackers and exfiltrate files.

“Its capabilities make it clear that the intent of its operators is to gather information about victims’ Macs by exfiltrating documents, keystrokes and screenshots,” said Marc-Etienne M. Léveillé, a researcher at ESET. said in a report released today.

CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to hit both Intel and Apple silicon architectures. The initial infection vector of the attacks and the targets are still unknown. But its very limited distribution is an indication that the malware is being used in a highly targeted operation against entities of interest.

The attack chain spotted by ESET abuses code execution and administrative privileges to launch a first-stage payload that is used to retrieve and execute second-stage malware hosted on pCloud, which in turn exfiltrates documents, screenshots, and email attachments, among others.

Categorized in: