A Stealthy New Threat for Macs
Researchers at the Slovakia-based security group announced their findings Tuesday, naming the new malware CloudMensis as its operators control it exclusively via cloud storage service. The campaign has been active since Feb. 4, 2022, and has claimed at least 51 victims so far. ESET said that the malware is capable of stealing personal data from Mac users that have not had sufficient software updates. According to ESET researcher Marc-Etienne M.Léveillé, CloudMensis can affect both Apple and Intel-chip-based Macs. However, ESET still does not know how the backdoor malware initially compromises victims. For instance, CloudMensis does not use a clickable link like typical RATs and keyloggers tend to do. This could be via a phishing email, SMS or other messaging services to lure the victim into downloading the malicious file. “We still do not know how CloudMensis is initially distributed and who the targets are,” Léveillé said in its press release. “The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.” Suggesting the campaign was a targeted operation, ESET specialists said that the malware is extremely limited in its distribution, although it is extremely stealthy.
39 Ways to Pillage Data
Once CloudMensis passes the first stage of infiltration and gains administrative control, it enacts a “more featureful second stage from a cloud storage service,” ESET said. At this point, the full malware suite is downloaded to the user’s computer. This suite of controls is run by a remote cybercriminal Command & Control (CnC) operator via cloud services used by the malware author. The cloud services found to be harboring CloudMensis are the immensely popular and widely used pCloud, Yandex and Dropbox. Further analysis by ESET indicated that the CloudMensis can bypass Apple’s TCC (Transparency, Consent, and Control) system which blocks external access to cameras, microphones, keyboard activity, and screen captures. A total of 39 different commands were found in the malware’s infiltration arsenal, including features for stealing documents, screenshots, messages, emails, and a plethora of other sensitive data specifically from Mac computers. ESET discovered the strings “Leonwork” and “BaD” in the spy agent’s components. The latter is possibly the name of the project, ESET said.
Stay Up-to-Date, Enable Lockdown Mode in Future
The malware also leverages multiple macOS vulnerabilities found in older versions of the operating system to do its job. ESET found that the malware tries to abuse four vulnerabilities that Apple patched in 2017, indicating that perhaps the malware has been around for years. Though it appears the distribution of the threat is very limited at this time, and perhaps CloudMensis was custom-made to infiltrate specific targets of interest, there are still security precautions Mac users can take. To protect yourself from CloudMensis, ensure that you have updated your Mac to the latest operating system version. Secondly, the ESET reports recommend users look into “Lockdown Mode.” This mode disables many features frequently utilized by cybercriminals to bypass system protection and successfully deploy their malware. Lockdown Mode is not yet available but should launch this fall together with iOS16, iPadOS 16, and macOS Ventura. Finally, you may like to arm yourself with cybersecurity knowledge via our article about the different types of spyware that are out there and check out our full guide to cyber hygiene to optimally protect yourself from malicious processes such as CloudMensis.
