April 26, 2024

Security researchers have found a new macOS backdoor dubbed CloudMensis  being used in targeted attacks to steal sensitive information from victims.

The threat exclusively uses public cloud storage services to communicate with its operators. Specifically, it leverages pCloud, Yandex Disk and Dropbox to receive commands and exfiltrate files, according to the security vendor.

Advertisements

Once the backdoor gains code execution and administrative privileges, it runs first-stage malware which in turn retrieves a more feature-rich second stage from a cloud storage service. This larger, second component can issue 39 commands including document exfiltration, taking screenshots, and lifting email attachments and other sensitive data.

CloudMensis’ capabilities include screenshots, exfiltration of documents and keystrokes, as well as listing email messages, attachments, and files stored from removable storage.

The malware comes with support for dozens of commands, allowing its operators to perform a long list of actions on infected Macs.

  • Change values in the CloudMensis configuration: cloud storage providers and authentication tokens, file extensions deemed interesting, polling frequency of cloud storage, etc.
  • List running processes
  • Start a screen capture
  • List email messages and attachments
  • List files from removable storage
  • Run shell commands and upload the output to cloud storage
  • Download and execute arbitrary files

Metadata obtained from the three impacted cloud storage services indicates that commands began to be issued to victim machines on February 4, 2022.

Advertisements

The threat actors behind this campaign are exploiting vulnerabilities to circumvent macOS mitigations. System administrators were therefore urged to ensure any corporate Macs are running an up-to-date OS to help mitigate the threat.

This research was done and documented by researchers from ESET

Indicators Of Compromise

  • D7BF702F56CA53140F4F03B590E9AFCBC83809DB
  • 0AA94D8DF1840D734F25426926E529588502BC08
  • C3E48C2A2D43C752121E55B909FC705FE4FDAEF6

Paths

  • /Library/WebServer/share/httpd/manual/WindowServer
  • /Library/LaunchDaemons/.com.apple.WindowServer.plist
  • ~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver
  • ~/Library/Containers/com.apple.Notes/Data/Library/.CFUserTextDecoding
  • ~/Library/Containers/com.apple.languageassetd/loginwindow
  • ~/Library/Application Support/com.apple.spotlight/Resources_V3/.CrashRep
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

CISA KEV Update April 2024 – Part II

April 25, 2024

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

CrushFTP Zeroday Vulnerability Exploited in Wild attack

April 21, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading