CloudMensis: Mac spyware is popular with cybercriminals. After DazzleSpy (January 2022) and Gimmick (March 2022), ESET researchers have uncovered the third high-risk spy malware. The previously unknown spyware, dubbed CloudMensis by ESET, has been extensively spying on infected Apple computers since February 2022.
Documents and keystrokes are recorded, e-mail messages and attachments are saved, files are copied from removable media and screen recordings are made. Cloud storage services such as Dropbox, pCloud and Yandex Disk are of particular importance: they serve both as a communication medium between victim and attacker and as storage for further malware and the captured information.
Cloud storage services as the linchpin
Once CloudMensis is running and gaining administrative privileges, it downloads more feature-rich malware from an online storage service. This malicious code is equipped with a set of spying tools to gather information from the compromised Mac. The attackers' intent is clearly to steal documents, screenshots, email attachments, and other sensitive data.
CloudMensis uses cloud storage both to receive commands from its operators and to exfiltrate files. The spyware uses three different providers: pCloud, Yandex Disk and Dropbox.
The limited distribution of CloudMensis suggests that the spyware is deployed as part of a targeted operation. According to ESET researchers, the operators of this malware family only use CloudMensis for very specific and lucrative purposes. The exploitation of vulnerabilities to bypass macOS defenses shows that malware operators are actively trying to maximize the success of their espionage operations. Although the investigations did not find any previously undisclosed vulnerabilities (zero days), the use of known "old" security gaps was proven. One of them is the CVE-2020-9934 vulnerability, which can bypass Apple's own System Integrity Protection (SIP). ESET researchers therefore recommend using a Mac with the latest operating system to avoid security measure bypasses.
Apple is aware of the spyware problem
At the end of November 2021, Apple indirectly admitted that users could have a problem with spyware. The lawsuit against the Israeli technology company NSO Group suggests this conclusion. With this, Apple wants to prevent the surveillance of and targeted attacks on its own users through their "Pegasus" spy software. In addition, Apple developers recently presented a new security feature called Lockdown Mode in a preview of the upcoming iOS16, iPadOS16 and macOS Ventura operating systems. This limits those functions that are regularly used to execute malicious code and spread malware.
“It is not yet entirely clear how CloudMensis was originally distributed and what the attackers are aiming for. The overall quality of the code and the lack of obfuscation suggest that the authors are neither very familiar nor very advanced with Mac development. Still, a lot of effort has been put into making CloudMensis a powerful spying tool. It definitely poses a threat to potential targets,” explains ESET researcher Marc-Etienne Léveillé, who analyzed CloudMensis.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.