ESET Research discovers new cyber threat to Mac users
ESET researchers have discovered a previously unknown macOS backdoor that spies on users of compromised Macs and exclusively uses public cloud storage services to communicate back and forth with its operators.
Named CloudMensis by ESET, its capabilities clearly show that the intent of the operators is to gather information from the victims Macs by exfiltrating documents and keystrokes, listing email messages and attachments, listing files from removable storage, and screen captures.
CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation. From what ESET Research has seen, operators of this malware family deploy CloudMensis to specific targets that are of interest to them.
The use of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximise the success of their spying operations. At the same time, no undisclosed vulnerabilities (zero days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.
"We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," says ESET researcher Marc-Etienne Lveill, who analysed CloudMensis.
"Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."
Kelly Johnson, ESET Australia country manager, says this latest malware, following on from a WebKit exploit that targeted Hong Kong activists via compromised Safari browsers on MacOS earlier in the year, highlights that some user groups need to be particularly vigilant in their cyber security measures.
"While these types of attacks are small compared to the broader category of malware, groups such as journalists and activists who can reasonably expect to be targeted because of their activities should always ensure their cybersecurity hygiene practices are up to date and consistently applied," Johnson says.
Once CloudMensis gains code execution and administrative privileges, it runs a first-stage malware that retrieves a more featureful second stage from a cloud storage service.
This second stage is a much larger component, packed with a number of features to collect information from the compromised Mac. The intention of the attackers here is clearly to exfiltrate documents, screenshots, email attachments, and other sensitive data. Altogether, there are 39 commands currently available.
CloudMensis uses cloud storage both for receiving commands from its operators and for exfiltrating files. It supports three different providers: pCloud, Yandex Disk, and Dropbox. The configuration included in the analysed sample contains authentication tokens for pCloud and Yandex Disk.
Metadata from the cloud storage services used reveal interesting details about the operation, for example that it started to transmit commands to the bots as of February 4, 2022.
Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware.