New Mac Malware Is Attacking Mac Users

In the public, a nasty piece of Mac malware is actively being used to steal users’ personal information off Macs. According to security experts, the CloudMensis malware enables an attacker to download data, log keystrokes, take screenshots, and perform other actions. Additionally, it may list email messages, attachments, and files from removable storage media (such as our pen-drives, external storage drives, etc)

According to cybersecurity company ESET, the spyware has been in use since February 2022 and seems to be targeting a particular group of people.

A previously unknown backdoor has been discovered in macOS that is currently being exploited in the wild to spy on users of compromised Macs.

First discovered by researchers at the cybersecurity firm ESET, the new malware has been dubbed CloudMensis. The capabilities of CloudMensis show that its creators designed it to gather information from victims’ Macs and the malware is able to exfiltrate documents and keystrokes, listing email messages and attachments, listing files from removable storage and screen captures according to ESET.

While CloudMensis is certainly a threat to Mac users, it’s incredibly limited distribution suggests that it is meant to be used as part of a targeted operation. Based on what ESET’s researchers have observed so far, the cybercriminals responsible deploy the malware to target specific users that are of interest to them.

“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.” 

Tom’s Guide reports.

Malware frequently “calls home” to get commands and download more malware into our Mac, however this typically entails connecting to an attacker-controlled private server. Because it can be used with cloud storage providers, CloudMensis is unique.

After gaining code execution and administrative privileges on a compromised Mac, it runs a first-stage malware that retrieves a second stage with additional features from a cloud storage service according to ESET.

The second stage is a much larger component that is packed with features to collect information from the compromised Mac. While there are 39 commands currently available, CloudMensis’ second stage is intended to exfiltrate documents, screenshots, email attachments and other information from victims.

CloudMensis uses cloud storage to both receive commands from its operators and to exfiltrate files. Currently, it supports three different providers: pCloud, Yandex Disk and Dropbox.

KissMyMac’s Opinion on Mac Malware – CloudMensis

Most Mac users don’t have to worry about becoming a victim of the malware because it appears to be employed in a targeted manner. However, it is concerning that CloudMensis is able to remotely bypass security precautions in macOS without using a zero-day flaw.

It’s always worthwhile to take a few straightforward cybersecurity safeguards. Most importantly, only ever download software from the Mac App Store or the websites of developers you trust. Never ever open attachments you weren’t expecting, even if they seemed to be from a known contact. According to the ESET security researchers, maintaining an up-to-date Mac is another effective countermeasure against the assault.

Image Source : Unsplash / Arget

Scroll to Top