Researchers have discovered a new malware targeting macOS devices. Identified as “CloudMensis”, this malware backdoors macOS systems to steal data.
CloudMensis Malware Targeting macOS Systems
According to a recent post from ESET, they found the CloudMensis malware actively targeting macOS systems.
As elaborated, this malware uses cloud services, like Dropbox or pCloud, to communicate with its C2 servers. Hence, the researchers named it “CloudMensis”. The malware exhibits numerous data-stealing and spying capabilities, such as stealing documents, capturing keystrokes, and serving as a backdoor in the target Mac devices.
The researchers could not precisely identify how the malware reached the target systems. Nonetheless, once reached, the malware gains persistence on the target devices and attains admin privileges. Then, the malware executes its two-stage attack process while receiving instructions from the cloud servers.
This first-stage malware retrieves its next stage from a cloud storage provider. It doesn’t use a publicly accessible link; it includes an access token to download the MyExecute file from the drive.
The first stage malware then downloads the payload in the second stage as a system-wide daemon. At this point, the malware exploits the admin privileges to modify the target directories. This second stage malware is a potent malicious component with numerous functionalities to steal documents and execute spying.
For obfuscation, the malware uses its own encryption, “FlowEncrypt”. It also bypasses the macOS security feature TCC that otherwise prevents screen, keyboard, and microphone captures.
The researchers have shared a detailed technical analysis of this malware in their post. They found the malware active since the beginning of this year, running active campaigns at least until April 2022. Nonetheless, they noticed CloudMensis running limited campaigns only, which suggests the attackers’ precision in targeting victims.
The researchers also noticed the attackers exploiting different macOS vulnerabilities and bypassing mitigations to maximize spying. But it uses no zero-day bugs. Thus, the researchers recommend that users keep their Mac up-to-date to avoid this attack. Besides, keeping the devices secured with robust anti-malware can also help prevent malicious attacks from most malware.