A newly uncovered malware designed to target Macs has been effective in obtaining access to systems and stealing sensitive data.
The discovery was detailed by internet security company ESET, which named the malware CloudMensis because of its reliance on cloud storage services.
As reported by Bleeping Computer and PCMag, the malware can successfully take screenshots of a user’s system without their knowledge, in addition to registering keystrokes, taking files and documents (even from removable storage devices), and listing emailing messages and attachments.
CloudMensis was originally detected by ESET in April 2022. It makes use of pCloud, Yandex Disk, and Dropbox in order to execute command-and-control (C2) communication.
The malware is fairly advanced in the sense that it provides the ability to carry out numerous malicious commands, such as viewing running processes, “running shell commands and uploading the output to cloud storage,” and downloading and opening arbitrary files.
While CloudMensis has now been uncovered, the identity of those behind the malware attack remains unknown.
“We still do not know how CloudMensis is initially distributed and who the targets are,” ESET researcher Marc-Etienne Léveillé said. “The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
ESET’s analysis reveals that the threat actors managed to infiltrate their first Mac target on February 4, 2022. Interestingly, CloudMensis has only been used a handful of times to infect a target. Furthermore, the Objective-C coding abilities from the hackers reveals they’re not well-versed in the MacOS platform, according to Bleeping Computer.
When ESET examined the cloud storage addresses that CloudMensis was associated with, the corresponding metadata from the cloud drives revealed “there were at most 51 victims” from February 4 until April, 2022.
Once the malware is executed on the Mac system, CloudMensis is then able to completely evade Apple’s MacOS Transparency Consent and Control (TCC) system without being detected. This feature alerts users to a window where they’ll need to grant specific permission for apps that perform screen captures or monitor keyboard events.
By avoiding TCC, CloudMensis can subsequently view the Macs’ screens and associated activity, as well as scan removable storage devices.
In any case, the malware is clearly more on the sophisticated end if it can bypass Mac’s own security measures with such relative ease. And it’s not just Macs that are exposed — PCMag highlights how the malware’s computing code confirms it can also infiltrate Intel-powered systems.
“CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation,” ESET said. “At the same time, no undisclosed vulnerabilities (zero-days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.”
If you own a Mac and want to check for viruses and malware, then be sure to head over to our guide explaining how to do so.