Who said Macs were safe? Photo: Shutterstock
The question of whether Macs are less susceptible to viruses has long been discussed.
Now the macOS spyware, named CloudMensis after detailed analysis by Eset researchers, has been discovered as a backdoor that allows hackers to spy on compromised Mac users.
It exclusively uses public cloud storage services to communicate with its operators, allowing them to collect information from victims’ computers by extracting documents, keystrokes, and screenshots.
Described as a “powerful espionage tool” by researchers, it is unclear how the virus was initially distributed and who the targets are, although it has no undisclosed (zero-day) vulnerabilities.
It is built to work across the popular DropBox cloud platforms, as well as pCloud, Yandex Disk, and analysis of Eset’s code suggests that CloudMensis may have been around for many years.
The quality of the code and lack of obfuscation suggest the creators are not very advanced or familiar with Mac development, the researchers believe, though it is capable of bypassing Apple’s own security protections.
“The use of vulnerabilities to bypass macOS mitigations shows that malware operators are actively trying to maximize the success of their espionage operations,” the researchers said.
You get admin access to do your dirty work
Once CloudMensis spyware is executed and administrative privileges are obtained, it initiates a two-stage process to release and act on its payload.
It includes authentication tokens for multiple cloud service providers, allowing you to interact with cloud storage providers to receive commands from their operators and extract files.
The first-stage malware is configured to download and then retrieve the second-stage malware, the spyagent client, as a system-wide daemon.
It is this second largest component that contains the instructions to collect information from a compromised Mac.
Since the release of macOS Mojave (10.14) in 2018, Macs have used a Transparency, Consent, and Control (TCC) system to protect access to some sensitive input, such as screenshots, cameras, microphones, and keyboard events.
However, CloudMensis spyware bypasses these built-in security protocols, avoiding prompting the user to provide permissions, which could leave them unaware of the presence of malware on their infected device.
Ultimately, the malware can list processes running on infected devices, launch a screenshot, list emails and attachments, list removable storage files, upload password-protected files to cloud storage, and download and download files. execute arbitrary files.
“The attackers’ intent here is clearly to extract documents, screenshots, email attachments and other sensitive data,” the Eset researchers said.
Apple Helps Users Shut Down Malware Risks
Apple is responding to the threats posed by spyware with a new feature called Blocking Mode.
To be implemented in macOS Ventura, iOS 16 and iPadOS 16, the company described it as an extreme option for additional protection where users face serious and targeted threats to their digital security.
Apple says this feature strengthens existing device defenses and strictly limits certain functionality in an attempt to severely reduce the attack surface that attackers could exploit.
Among the restrictions, most types of message attachments other than images are blocked, certain complex web technologies are disabled, incoming invitations and service requests are blocked without a prior call or request, wired connections are locked while locked and configuration profiles cannot be installed, and the device cannot enroll in mobile device management (MDM).
The company has also gone the extra mile by offering rewards to researchers who discover skips or improvements to lockdown mode.
Apple also agreed to give $14.5 million ($10 million) and any damages awarded in the lawsuit filed against NSO Group for its spyware to the Dignity and Justice Fund, which is working to expose mercenary spyware and protect targets. potentials.