THE SOURCE FOR TECH BUYING ADVICE
Potent macOS spyware grabs screenshots and logs keys. A newly discovered macOS malware has been spying on users, and using the public cloud as its command & control (C2) server.
Researchers from ESET said that the campaign’s objective is to steal as much data as possible from its targets. Documents, emails, and their attachments are included, as as file lists from portable storage. Additionally, the spyware has the ability to take screenshots and record keystrokes.
The ESET team identified it as CloudMensis and said that its relatively small dissemination points to a targeted operation rather than a general assault. The researchers came to the conclusion that macOS users with updated endpoints should be safe because the attackers, whose identities are still unknown, did not employ any zero-day vulnerabilities in their campaign.
Dozens of commands
“We still don’t know who the targets are or how CloudMensis is initially delivered. The writers may not be extremely experienced in Mac development as seen by the generally high caliber of the code and lack of obfuscation. Nevertheless, significant effort was made to make CloudMensis an effective surveillance tool and a threat to possible targets, according to Marc-Etienne Léveillé, an ESET researcher.
The researchers also noted that CloudMensis is a multi-stage strategy. The malware would initially look for administrative rights and the capacity to run code. It would then launch a dropper that would retrieve a second-stage malware that was more powerful from cloud storage.
In total, the second-stage malware has 39 commands, including data exfiltration, screenshot grabbing, and similar.
The attackers are use three separate public cloud service providers—pCloud, Yandex Disk, and Dropbox—to connect with the virus. Beginning in early February 2022, the campaign began.
ESET claims that Apple has acknowledged the existence of malware that targets its customers and is putting Lockdown Mode for iOS, iPadOS, and macOS together as a mitigating strategy. This program would deactivate functions that threat actors typically use to obtain access to the target endpoint’s code execution capabilities.