This creepy macOS backdoor spies on you without you noticing
Potent macOS spyware grabs screenshots and logs keys
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A newly discovered macOS malware has beenspyingon users, and using the public cloud as its command & control (C2) server.
According to researchers from ESET, the goal of the campaign is to exfiltrate as much data from the targets as possible. That includes documents, email messages and attachments, as well as file lists from removable storage. What’s more, the spyware is capable of logging keystrokes and grabbing screenshots.
Dubbing it CloudMensis, the ESET team further added that its relatively limited distribution suggests a targeted operation, rather than a widespread attack. The attackers, whose identities are yet unknown, did not leverage any zero-day vulnerability for their campaign, leading the researchers to conclude that macOS users whoseendpointsare up-to-date, should be safe.
Dozens of commands
“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets,” explains ESET researcher Marc-Etienne Léveillé.
CloudMensis is a multi-stage campaign, the researchers added. First, the malware would seek the ability to execute code, as well as administrative privileges. After that, it would run a dropper that would pull a more potent second-stage malware fromcloud storage.
In total, the second-stage malware has 39 commands, including data exfiltration, screenshot grabbing, and similar.
How to clean up your MacBook and iMac with an anti-malware tool>We’ve found the best Mac antivirus software right now>This new custom macOS malware seizes control of your Google Drive account
To communicate with the malware, the attackers are using three different public cloud providers: pCloud, Yandex Disk, and Dropbox. The campaign kicked off in early February 2022.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
According to ESET,Applehas acknowledged the presence of spyware that targets its users, and is preparing mitigation measures in the form of Lockdown Mode for iOS, iPadOS, and macOS. This tool would disable features that threat actors usually exploit to gain code execution privileges on the target endpoint.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success
