Did you know that the macOS backdoor is spying on you? Users have been the target of recently found macOS malware. It uses the public cloud as its command and control (C2) server to snoop on them.
Researchers from ESET said that the campaign’s objective is to steal as much data as possible from its targets. Documents, emails, and their attachments are included, as file lists from portable storage. Additionally, the spyware has the ability to take screenshots and record keystrokes.
The ESET team identified it as CloudMensis. They said that its relatively small dissemination points to a targeted operation rather than a general assault. The researchers came to the conclusion that macOS users with updated endpoints should be safe because the attackers, whose identities are still unknown, did not employ any zero-day vulnerabilities in their campaign.
MacOS backdoor is spying on you: plenty of commands
“We still don’t know who the targets are or how CloudMensis is initially delivered. The writers may not be extremely experienced in Mac development as seen by the generally high caliber of the code and lack of obfuscation. Nevertheless, significant effort was made to make CloudMensis an effective surveillance tool and a threat to possible targets, according to Marc-Etienne Léveillé, an ESET researcher.
The researchers also noted that CloudMensis is a multi-stage strategy. The malware would initially look for administrative rights and the capacity to run code. It would then launch a dropper that would retrieve a second-stage malware that was more powerful from cloud storage.
The second-stage virus comprises 39 commands in all, including ones for screenshot capture and data exfiltration.
The attackers use three separate public cloud service providers—pCloud, Yandex Disk, and Dropbox—to connect with the virus. Beginning in early February 2022, the campaign began.
ESET claims that Apple has acknowledged the existence of malware that targets its customers and is putting Lockdown Mode for iOS, iPad, and macOS together as a mitigating strategy. This program would deactivate functions that threat actors typically use to obtain access to the target endpoint’s code execution capabilities.
Leave a Reply