Security News > 2022 > July > CloudMensis backdoor spies on users of compromised Macs

ESET researchers discovered CloudMensis, a macOS backdoor that spies on users of compromised Macs and uses public cloud storage services to communicate back and forth with its operators.

Outline of how CloudMensis uses cloud storage services.

CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation.

"We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets," explains ESET researcher Marc-Etienne Léveillé, who analyzed CloudMensis.

Once CloudMensis gains code execution and administrative privileges, it runs a first-stage malware that retrieves a more featureful second stage from a cloud storage service.

CloudMensis uses cloud storage both for receiving commands from its operators and for exfiltrating files.

News URL

https://www.helpnetsecurity.com/2022/07/21/cloudmensis-backdoor-macs/