Security researchers have found a new macOS backdoor dubbed CloudMensis being used in targeted attacks to steal sensitive information from victims.
The threat exclusively uses public cloud storage services to communicate with its operators. Specifically, it leverages pCloud, Yandex Disk and Dropbox to receive commands and exfiltrate files, according to the security vendor.
Once the backdoor gains code execution and administrative privileges, it runs first-stage malware which in turn retrieves a more feature-rich second stage from a cloud storage service. This larger, second component can issue 39 commands including document exfiltration, taking screenshots, and lifting email attachments and other sensitive data.
CloudMensis’ capabilities include screenshots, exfiltration of documents and keystrokes, as well as listing email messages, attachments, and files stored from removable storage.
The malware comes with support for dozens of commands, allowing its operators to perform a long list of actions on infected Macs.
- Change values in the CloudMensis configuration: cloud storage providers and authentication tokens, file extensions deemed interesting, polling frequency of cloud storage, etc.
- List running processes
- Start a screen capture
- List email messages and attachments
- List files from removable storage
- Run shell commands and upload the output to cloud storage
- Download and execute arbitrary files
Metadata obtained from the three impacted cloud storage services indicates that commands began to be issued to victim machines on February 4, 2022.
The threat actors behind this campaign are exploiting vulnerabilities to circumvent macOS mitigations. System administrators were therefore urged to ensure any corporate Macs are running an up-to-date OS to help mitigate the threat.
This research was done and documented by researchers from ESET
Indicators Of Compromise
- D7BF702F56CA53140F4F03B590E9AFCBC83809DB
- 0AA94D8DF1840D734F25426926E529588502BC08
- C3E48C2A2D43C752121E55B909FC705FE4FDAEF6
Paths
- /Library/WebServer/share/httpd/manual/WindowServer
- /Library/LaunchDaemons/.com.apple.WindowServer.plist
- ~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver
- ~/Library/Containers/com.apple.Notes/Data/Library/.CFUserTextDecoding
- ~/Library/Containers/com.apple.languageassetd/loginwindow
- ~/Library/Application Support/com.apple.spotlight/Resources_V3/.CrashRep
