Spyware that targets Apple’s macOS operating system to steal sensitive data has been uncovered by security researchers. Cybercriminals are using the malware, ‘CloudMensis’, to conduct attacks on Mac users, they said.
Uncovered by security company ESET, CloudMensis has been deployed by criminals over the past few months against Apple devices. “Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes and screen captures,” Mars-Etienne Léveillé, a researcher at ESET, explained in a report published today.
How CloudMensis infects macOS
The ESET team has not ascertained how the CloudMensis initially infects systems, but once it has done so, it communicates with multiple cloud servers to download other components of the malware. In the sample analysed by the company, it pulled in files from Dropbox, pCloud, and Russian cloud service Yandex Disk.
CloudMensis can bypass the macOS Transparency Consent and Control (TCC) system which is supposed to mitigate against this kind of attack. TCCs are used to block macOS apps from accessing user data. If bypassed the cybercriminal can change the privacy settings for apps on the device, take screenshots or monitor keyboard activities without the user’s knowledge.
The vulnerability through which these TCCs can be bypassed is CVE-2020-9930, a two-year-old exploit for which a patch is available here. “Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operation,” the report says. “At the same time, no undisclosed vulnerabilities (zero days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.”
The malware comes with the support of numerous commands that can all exfiltrate data from the macOS by accessing documents and removeable storage, taking screenshots and logging keystrokes.
What is CloudMensis being used for?
The first attack using the malware was logged on February 4, but known instances of attacks since then have been scarce.
“We still do not know how CloudMensis is initially distributed and who the targets are,” Léveillé adds. “The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not very advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.