Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system.

The malware, codenamed CloudMensis by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files.

“Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures,” ESET researcher Marc-Etienne M.Léveillé said in a report published today.

CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures. The initial infection vector for the attacks and the targets remain unknown as yet. But its very limited distribution is an indication that the malware is being used as part of a highly targeted operation directed against entities of interest.

The attack chain spotted by ESET abuses code execution and administrative privileges to launch a first-stage payload that’s utilized to fetch and execute a second-stage malware hosted on pCloud, which, in turn, exfiltrates documents, screenshots, and email attachments, among others.

The first-stage downloader is also known to erase traces of Safari sandbox escape and privilege escalation exploits that make use of four now-resolved security flaws in 2017, suggesting that CloudMensis may have flown under the radar for many years.

The implant also comes with features to bypass the Transparency, Consent, and Control (TCC) security framework, which aims to ensure that all apps obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes.

It achieves this by exploiting another patched security vulnerability tracked as CVE-2020-9934 that came to light in 2020. Other functions supported by the backdoor include getting the list of running processes, capturing screenshots, listing files from removable storage devices, and running shell commands and other arbitrary payloads.

On top of that, an analysis of metadata from the cloud storage infrastructure shows that the pCloud accounts were created on January 19, 2022, with the compromises commencing on February 4 and peaking in March.

“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced,” M.Léveillé said. “Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

How to Craft Rich Data-Driven Infographics with Powered Template

How to Craft Rich Data-Driven Infographics with Powered Template

We’re living in a data-driven world, and this means that it’s imperative to share information in the most engaging and…
Meta Fined €265 million in Facebook Data Scraping Case in the EU

Meta Fined €265 million in Facebook Data Scraping Case in the EU

Ireland’s Data Protection Commissioner (DPC) has placed yet another fine of €265 million ($277 million) on Meta following Facebook’s data…
Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet…