Security News > 2022 > July > Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

The malware, codenamed CloudMensis by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files.

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé said in a report published today.

CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures.

The attack chain spotted by ESET abuses code execution and administrative privileges to launch a first-stage payload that's utilized to fetch and execute a second-stage malware hosted on pCloud, which, in turn, exfiltrates documents, screenshots, and email attachments, among others.

The first-stage downloader is also known to erase traces of Safari sandbox escape and privilege escalation exploits that make use of four now-resolved security flaws in 2017, suggesting that CloudMensis may have flown under the radar for many years.

Other functions supported by the backdoor include getting the list of running processes, capturing screenshots, listing files from removable storage devices, and running shell commands and other arbitrary payloads.

News URL

https://thehackernews.com/2022/07/experts-uncover-new-cloudmensis-spyware.html