A new macOS backdoor is making rounds in the wild in targeted attacks aiming to steal sensitive information.
CloudMensis macOS Backdoor: What’s Known So Far
The backdoor, called CloudMensis, is exclusively using public cloud storage services to communicate with the threat actors. According to ESET researchers, the malware uses pCloud, Yandex Disk and Dropbox to receive commands and exfiltrate information. The methods used to spread the backdoor are still unknown, as well as the specific targets.
It seems that the malware is not that sophisticated, lacking sufficient obfuscation. However, the malware authors were still able to create “a powerful spying tool and a menace to potential targets.”
The backdoor is capable of gaining code execution and administrative rights on an infected system, followed by the first-stage malware payload. The second payload has more features, running from a cloud storage service and being able to issue 39 commands, such as document exfiltration, taking screenshots, and stealing email attachments. According to metadata, CloudMensis was released in the wild on February 4 2022.
The malware authors used some macOS vulnerabilities on targeted systems but it seems that no zero-days were abused. Corporate Mac machines should be fully patched to avoid any compromise.
Another example of a recently disclosed Mac backdoor is SysJoker. When initially discovered, the multi-platform (also targeting Linux and Windows systems) malware was not detected by any of the security engines in VirusTotal, making it extremely dangerous. SysJoker was discovered by Intezer researchers during an active attack on a Linux-based web server that belongs to a leading educational institution.