Stealthy CloudMensis Malware Spies on Macs and Lifts Files

CloudMensis is a macOS backdoor that ESET discovered previously. The malware can be used to steal files from Mac users, log keystrokes and take screenshots.

A Stealthy New Threat for Macs

The new malware CloudMensis was discovered by security experts in Slovakia. Its operators are able to access it only via cloud storage. Since February 4, 2022, the campaign has already claimed 51 victims.

ESET stated that malware can steal personal data from Mac users who haven't had enough software updates. Marc-Etienne M.Leveille from ESET says that CloudMensis could affect Intel-chip-based Macs as well as Apple Macs.

ESET is still unsure how backdoor malware compromises victims. CloudMensis, for example, does not offer a clickable link as keyloggers or RATs do. It could happen via SMS, phishing emails or any other messaging service to trick the victim into downloading malicious files.

Leveille stated in its press release that “we still don't know how CloudMensis was distributed initially and who the target is.” The code is of high quality and does not contain any obfuscation, which suggests that the authors aren't very knowledgeable about Mac programming and may not have the necessary skills. CloudMensis is a formidable spy tool that can be used to target potential targets. However, it was developed with a lot resources.

ESET experts suggested that this campaign was targeted. They said the malware's distribution is very limited, but it is highly stealthy.

There are 39 ways to pillage data

CloudMensis will pass the initial stage of infiltration, and it gains administrative control. Then, ESET stated that CloudMensis will enact a more featureful stage using a cloud storage provider. The entire malware suite can be downloaded onto the computer.

The malware author uses cloud services to run this suite of controls. CloudMensis was found in the widely-used cloud services pCloud and Yandex. ESET further examined the CloudMensis and found that it can bypass Apple’s TCC (Transparency, Consent and Control), which prevents external access to microphones, cameras, keyboard activity, screen captures, and microphones.

The malware infiltration toolkit contained 39 commands. These included features that could steal documents, images, messages and emails as well as others to steal sensitive information from Mac computers. ESET found the string “Leonwork”, and “BaD,” in the components of the spy agent. ESET suggested that the latter might be the project's name.

Keep up-to-date and enable lockdown mode in the future

To do its work, the malware uses multiple macOS security holes that were present in earlier versions of macOS. ESET discovered that the malware tried to exploit four Apple vulnerabilities in 2017 which suggests that it may have been around for many years.

Although it seems that the threat distribution is limited, CloudMensis may have been created to target specific targets. However, Mac users still have security measures they can take.

CloudMensis can be avoided by updating your Mac's operating system to the most recent version. ESET recommends that users investigate Lockdown Mode. This disables many of the features cybercriminals use to exploit system security and deploy malware. Although Lockdown Mode has not been released yet, it will be available this fall along with iOS16 and macOS Ventura.

You may also want to be well-informed about cybersecurity. Read our article on the various types of spyware and our complete guide to cyber hygiene.

Leave a Comment