A newly discovered macOS malware has been spying (opens in new tab) on users, and using the public cloud as its command & control (C2) server.
According to researchers from ESET, the goal of the campaign is to exfiltrate as much data from the targets as possible. That includes documents, email messages and attachments, as well as file lists from removable storage. What’s more, the spyware is capable of logging keystrokes and grabbing screenshots.
Dubbing it CloudMensis, the ESET team further added that its relatively limited distribution suggests a targeted operation, rather than a widespread attack. The attackers, whose identities are yet unknown, did not leverage any zero-day vulnerability for their campaign, leading the researchers to conclude that macOS users whose endpoints (opens in new tab) are up-to-date, should be safe.
Dozens of commands
“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets,” explains ESET researcher Marc-Etienne Léveillé.
CloudMensis is a multi-stage campaign, the researchers added. First, the malware would seek the ability to execute code, as well as administrative privileges. After that, it would run a dropper that would pull a more potent second-stage malware from cloud storage.
In total, the second-stage malware has 39 commands, including data exfiltration, screenshot grabbing, and similar.
To communicate with the malware, the attackers are using three different public cloud providers: pCloud, Yandex Disk, and Dropbox. The campaign kicked off in early February 2022.
According to ESET, Apple has acknowledged the presence of spyware that targets its users, and is preparing mitigation measures in the form of Lockdown Mode for iOS, iPadOS, and macOS. This tool would disable features that threat actors usually exploit to gain code execution privileges on the target endpoint.