Without your knowledge, this macOS backdoor spies on you

Without your knowledge, this macOS backdoor spies on you ...

MacOS malware has been recently discovered, spying (opens in new tab) on users, and utilizing the public cloud as its command & regulate server.

According to ESET specialists, the objective of the marketing campaign is to obtain as much information as possible from the targets. That includes documents, e-mail messages, and attachments, as well as file lists from detached storage. Furthermore, the spy ware is capable of recording keystrokes and extracting screenshots.

The ESET team more dubbed it CloudMensis, indicating that its reasonably restricted distribution indicates a targeted action rather than a common assault. The attackers, whose identities are but obscure, did not exploit any zero-day vulnerability for their campaign, primary the researchers to conclude that macOS users who have access to up-to-date technology should really be secure.

Dozens of instructions

We are still unsure how CloudMensis will be distributed in the beginning or who the targets are. The usual quality of the code and lack of obfuscation suggests the authors may not be very familiar with Mac development and are not very well-developed, nevertheless, making CloudMensis a powerful spying device and a threat to probable targets, according to ESET researcher Marc-Etienne Leveille.

According to the researchers, CloudMensis is a multi-stage marketing campaign. Initially, the malware would discover the ability to execute code as well as administrative privileges. Immediately thereafter, it would launch a dropper that would remove a much more powerful next-stage malware from cloud storage.

The second-stage malware includes 39 commands, as well as knowledge exfiltration, screenshot grabbing, and something similar.

The attackers are using three different community cloud providers: pCloud, Yandex Disk, and Dropbox to communicate with the malware. The marketing campaign began in early February 2022.

Apple has acknowledged the existence of adware that is aimed at its users, and is considering mitigation actions in the manner of a Lockdown Manner for iOS, iPadOS, and macOS. This tool would disable capabilities that threat actors normally exploit to obtain code execution privileges on the concentrate on the endpoint.

You may also like: