Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

New ‘CloudMensis’ macOS Spyware Used in Targeted Attacks

Researchers at cybersecurity company ESET have analyzed a previously undocumented macOS malware that appears to have been used in targeted attacks to steal valuable information from compromised systems.

Researchers at cybersecurity company ESET have analyzed a previously undocumented macOS malware that appears to have been used in targeted attacks to steal valuable information from compromised systems.

The new malware, named CloudMensis, has been described by ESET as both a piece of spyware and a backdoor. Developed in Objective-C, the malware has been designed to target devices with Intel or Apple chips.

It’s unclear how the spyware is distributed, but it seems to have been involved in a relatively small number of attacks since February, which suggests that the malware has been used as part of a targeted operation, with threat actors deploying it only on the systems of certain victims.

On the other hand, CloudMensis leverages some Safari vulnerabilities discovered and patched in 2017, which suggests that the threat may have been around for several years. It’s worth noting that the malware does not appear to exploit any zero-day flaws.

The malware is deployed in a two-stage process after the attacker gains code execution and admin privileges on the system. The first-stage component is responsible for downloading and executing the main payload as a system-wide daemon.

Once deployed on a Mac, CloudMensis can collect a wide range of information, including documents, screenshots, and email attachments. The malware accepts 39 commands, including for listing running processes, running shell commands, and downloading and executing arbitrary files.

Its operators control the malware and exfiltrate data using cloud services such as pCloud, Yandex Disk and Dropbox.

In order to be able to capture the victim’s screen, log keyboard events and scan storage for interesting documents, the spyware attempts to bypass a system named TCC (Transparency, Consent and Control), which prompts the user when an application tries to access certain functions.

Advertisement. Scroll to continue reading.

According to ESET, CloudMensis uses two techniques to bypass TCC, including through the exploitation of a vulnerability discovered in 2020 (CVE-2020–9934).

“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets,” ESET researchers said.

Apple is working on making it more difficult to attack its products. The tech giant recently announced an operating system Lockdown Mode that should provide extra protection to iOS, iPadOS and macOS users against state-sponsored mercenary spyware.

New macOS malware continues to emerge. Eight new malware families emerged in 2021, including ElectroRAT, SilverSparrow, XcodeSpy, ElectrumStealer, WildPressure, XLoader, ZuRu, and CDDS (aka MacMa).

Related: Repurposing Mac Malware Not Difficult, Researcher Shows

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: New XcodeSpy Mac Malware Targets Software Developers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.