Security News > 2022 > July > New CloudMensis malware backdoors Macs to steal victims’ data

New CloudMensis malware backdoors Macs to steal victims’ data
2022-07-19 09:30

ESET researchers first spotted the new malware in April 2022 and named it CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control communication.

CloudMensis' capabilities clearly show that its operators' main goal is to collect sensitive info from infected Macs through various means.

Based on ESET's analysis, the attackers infected the first Mac with CloudMensis on February 4, 2022.

After being deployed on a Mac, CloudMensis can also bypass the macOS Transparency Consent and Control system, which prompts the user to grant apps permission to take screen captures or monitor keyboard events.

If the user disables SIP on the system, CloudMensis will grant itself permissions by adding new rules to the TCC.db file.

"If SIP is enabled but the Mac is running any version of macOS Catalina earlier than 10.15.6, CloudMensis will exploit a vulnerability to make the TCC daemon load a database CloudMensis can write to."


News URL

https://www.bleepingcomputer.com/news/security/new-cloudmensis-malware-backdoors-macs-to-steal-victims-data/