Tom’s Guide reports.
A previously unknown backdoor has been discovered in macOS that is currently being exploited in the wild to spy on users of compromised Macs.
First discovered by researchers at the cybersecurity firm ESET, the new malware has been dubbed CloudMensis. The capabilities of CloudMensis show that its creators designed it to gather information from victims’ Macs and the malware is able to exfiltrate documents and keystrokes, listing email messages and attachments, listing files from removable storage and screen captures according to ESET.
While CloudMensis is certainly a threat to Mac users, it’s incredibly limited distribution suggests that it is meant to be used as part of a targeted operation. Based on what ESET’s researchers have observed so far, the cybercriminals responsible deploy the malware to target specific users that are of interest to them.
“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
While it’s common for malware to “phone home” to receive commands and download additional malware components, this usually means connecting to a private server run by the attacker. CloudMensis is unusual in that it can be run on cloud storage services.
After gaining code execution and administrative privileges on a compromised Mac, it runs a first-stage malware that retrieves a second stage with additional features from a cloud storage service according to ESET.
The second stage is a much larger component that is packed with features to collect information from the compromised Mac. While there are 39 commands currently available, CloudMensis’ second stage is intended to exfiltrate documents, screenshots, email attachments and other information from victims.
CloudMensis uses cloud storage to both receive commands from its operators and to exfiltrate files. Currently, it supports three different providers: pCloud, Yandex Disk and Dropbox.
It’s unclear how the malware is able to defeat macOS defenses, as ESET says that it doesn’t use any undisclosed vulnerabilities.
9to5Mac’s Take on CloudMensis
The fact that the spyware is seemingly being used in a targeted fashion means that most Mac owners don’t need to worry about falling victim to it. All the same, it is worrying that CloudMensis is able to remotely circumvent security measures within macOS without exploiting a zero-day vulnerability.
It’s always worth following some simple cybersecurity precautions. Most especially, never open attachments you aren’t expecting, even if they appear to be from a known contact, and only ever download software from the Mac App Store or the websites of developers you trust.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: