New MacOS Backdoor Communicates Via Public Cloud

Written by

Security researchers have found a new macOS backdoor being used in targeted attacks to steal sensitive information from victims.

The threat has been named “CloudMensis” by ESET because it exclusively uses public cloud storage services to communicate with its operators. Specifically, it leverages pCloud, Yandex Disk and Dropbox to receive commands and exfiltrate files, according to the security vendor.

“We still do not know how CloudMensis is initially distributed and who the targets are,” explained ESET researcher Marc-Etienne Léveillé, who analyzed the backdoor.

“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

These targets are said to be fairly limited. Once the backdoor gains code execution and administrative privileges, it runs first-stage malware which in turn retrieves a more feature-rich second stage from a cloud storage service, ESET said.

This larger, second component can issue 39 commands including document exfiltration, taking screenshots, and lifting email attachments and other sensitive data.

Metadata obtained from the three impacted cloud storage services indicates that commands began to be issued to victim machines on February 4 2022.

Although the threat actors behind this campaign are exploiting vulnerabilities to circumvent macOS mitigations, ESET didn’t find any zero-days during its research. System administrators were therefore urged to ensure any corporate Macs are running an up-to-date OS to help mitigate the threat.

Just last week, Apple seemed to acknowledge the problem of spyware targeting its users when it announced a new set of features dubbed “Lockdown Mode.”

Designed to harden the devices and machines of at-risk users, the features will reduce the attack surface by limiting specific functionality such as mobile device management, just-in-time JavaScript compilation and incoming invitations and service requests.

What’s hot on Infosecurity Magazine?