Unknown threat actors are accessing the macOS backdoor with the helo of previously undetected malware in order to enter the system via bypassing the security mechanisms.
According to the recent reports from ESET’s researchers, the Slovak internet security company headquartered in Bratislava observed the new malware named CloudMensis in April 2022. CloudMentis is capable of using public cloud storage such as pCloud, Yandex Disk, and Dropbox services to perform command-and-control (C2) communications, and maintain communication with compromised devices to collect sensitive data from remote locations.
Threat actors are capable of exfiltrating data such as screenshots, documents, keystrokes, email listings, attachments, messages, stored files, and removable files from storage.
According to the ESET researcher, the attackers compromised the Mac device first on February 4, 2022. After that, they performed several cyber attacks targeting the backdoor and also compromised other Macs with ‘objective-C’ coding abilities.
However, researchers are not quite sure how it performs such cyber attacks and so, ESET researcher Marc-Etienne Léveillé said, “We still do not know how CloudMensis is initially distributed and who the targets are…The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced…Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
The report claims that the malware can bypass the macOS Transparency Consent and Control (TCC) system. TCC’s usual function is to block macOS apps from accessing user data and if it can be bypassed the threat actor can change privacy settings for apps installed in the system. The malware app then can take screenshots or monitor keyboard activities to deliver it to a remote location.
Security researchers said that the vulnerabilities through which it can access macOS are CVE-2020–9934 and a two-year-old patch by Apple. ESET further added, “Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations…At the same time, no undisclosed vulnerabilities (zero-days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.”
