{"id":7089,"date":"2023-09-20T08:08:20","date_gmt":"2023-09-20T08:08:20","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=7089"},"modified":"2023-09-20T08:15:16","modified_gmt":"2023-09-20T08:15:16","slug":"cloudmensis-spyware-hitting-macos","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/cyber-security-news\/cloudmensis-spyware-hitting-macos\/","title":{"rendered":"CloudMensis: Spyware hitting MacOS"},"content":{"rendered":"\n

A new backdoor<\/em> for MacOS systems has been discovered in recent days by ESET researchers<\/a>. The goal of the malware<\/strong> is to exfiltrate information from the victim system by exploiting cloud storage services.
The Backdoor<\/em>, named by CloudMensis<\/strong> researchers, recovers information such as documents, email messages and attachments, files<\/em> on removable devices, screenshots<\/em> and the sequence of keys pressed by the user from the victim system.<\/p>\n\n\n\n

CloudMensis is a serious threat to Mac (Apple) users, but its very limited distribution suggests it is a tool used in targeted offensive operations.<\/p>\n\n\n\n

\u201cWe still don’t know how CloudMensis is initially deployed and who the targets are. The overall code quality and lack of obfuscation shows that the authors may not be very familiar with Mac development and are not that advanced. However, many resources have gone into making CloudMensis a powerful spying tool and threat to potential targets.”<\/em> explains ESET researcher Marc-Etienne L\u00e9veill\u00e9, who analyzed CloudMensis.<\/p>\n\n\n\n

CloudMensis – Steps of the infection<\/h2>\n\n\n\n

After launching into the victim system, CloudMensis<\/strong> performs Privilege Escalation<\/a> tasks to execute code with maximum privileges by exploiting four different vulnerabilities and clearing traces from the Safari sandbox<\/em>.<\/p>\n\n\n\n

The first stage deals with the download from a cloud storage service of a second, more advanced stage necessary for collecting information from the compromised system. In total there are 39 commands for exfiltrating documents, screenshots, email attachments and other sensitive data.<\/p>\n\n\n\n

The second stage exploits a vulnerability (CVE-2020-9934) to bypass the Transparency Consent, and Control (TCC) security framework, a framework that ensures that all apps obtain explicit user consent to access files in Documents, Downloads , Desktop, iCloud Drive, and network volumes.<\/p>\n\n\n\n

What complicates CloudMensis Threat Detection activities through Network Security activities is the use of cloud storage services both for file exfiltration and for the exchange of commands (Command & Control, C2). The malware appears to support three different providers: pCloud, Yandex Disk and Dropbox.<\/p>\n\n\n\n

\"\"
Eset reconstruction – Link<\/a><\/figcaption><\/figure>\n\n\n\n

The Malware began transmitting commands to command and control servers starting February 4, 2022.<\/p>\n\n\n\n

Indicators of Compromise (IOCs)<\/h2>\n\n\n\n
    \n
  • Downloader <\/strong>(first stage)\n
      \n
    • SHA256<\/strong> 273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • Client (second stage)\n
        \n
      • SHA256<\/strong> 317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Client (second stage)\n
          \n
        • SHA256 <\/strong>b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

          A new backdoor for MacOS systems has been discovered in recent days by ESET researchers. The goal of the malware is to exfiltrate information from the victim system by exploiting cloud storage services.The Backdoor, named by CloudMensis researchers, recovers information such as documents, email messages and attachments, files on removable devices, screenshots and the sequence […]<\/p>\n","protected":false},"author":12,"featured_media":4758,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[212],"class_list":["post-7089","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-malware"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=7089"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7089\/revisions"}],"predecessor-version":[{"id":7094,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7089\/revisions\/7094"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4758"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=7089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=7089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=7089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}