Researchers at ESET have discovered a Mac operating system backdoor malware that spies on users of compromised computers, the Bratislava, Slovakia-based internet security company reports.
ESET has named the malware “CloudMensis” for its ability to use cloud storage services, exclusively, to communicate with operators.
The malware, which uses the names of months as directory names, gathers information from the victims’ Macs by exfiltrating documents and keystrokes, listing email messages and attachments, listing files from removable storage, and also screen captures, ESET reported this week.
ESET believes that CloudMensis’ “very limited distribution” is the part of a targeted operation. Marc-Etienne Léveillé, an ESET researcher who analyzed CloudMensis, says that there is much still to be learned about the malware:
“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
ESET notes that threat actors distribute CloudMensis to specific targets that are of interest to them. The use of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations. However, no undisclosed vulnerabilities (zero days) were found to be used by this group.
Metadata from the cloud storage services reveal that the first Mac compromised by this recent campaign was on February 4, 2022, ESET reports.
Updating to Latest Mac Operating System Recommended
CloudMensis uses cloud storage as its Command and Control channel, supporting three different providers: pCloud, Yandex Disk, and Dropbox, according to ESET. The malware can issue 39 commands, including exfiltrating documents, keystrokes and screen captures from compromised Macs.
Once CloudMensis gains code execution and administrative privileges, it runs a first-stage malware that retrieves a more featureful second stage from a cloud storage service, ESET explained. In addition, the second stage is a much larger component, packed with a number of features to collect information from the compromised Mac.
To protect against CloudMensis attacks, ESET recommends running an up-to-date macOS to avoid, at least, the mitigation bypasses.
Mid-Threat Malware Mystery
Léveillé described CloudMensis as a “medium-advanced threat.” He noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.
Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware.
As Léveillé explained to Dark Reading:
"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers. However, we did find that CloudMensis used known vulnerabilities on Macs that do not run the latest version of macOS. We do not know how the CloudMensis spyware is installed on victims' Macs, so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."