Despite its limited distribution, the backdoor could be part of larger-scale threat campaigns

Cyber researchers have discovered a previously unknown macOS backdoor that allows hackers to monitor keystrokes, exfiltrate documents, capture screen activity and spy on emails and attachments in the compromised machines.

The backdoor uses public cloud storage services (pCloud, Yandex Disk, and Dropbox) exclusively for communications with its operators, and its “very limited distribution” suggests its role as part of a targeted operation.

Operators of this malware family deploy it to specific targets that are of interest to them. The use of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations. At the same time, no undisclosed zero day vulnerabilities were found to be used by this group.

ESET researchers, who disclosed the discovery, still do not know how the backdoor, dubbed CloudMensis, is initially distributed, or who the targets are. One researcher who analyzed the CloudMensis code, Mark-Etienne M. Léveillé, said: “The general quality of the code and lack of obfuscation indicate that the authors may not be very familiar with Mac development and are not so advanced. Nevertheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

Once the backdoor gains code execution and administrative privileges, it runs a first-stage malware that retrieves a more feature-rich second stage from the cloud. This second stage is a much larger component, packed with a number of features to collect information from the compromised machine. Altogether, 39 commands and functions were detected in the code.

Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware. 

Therefore, Mac users should update their machines with the feature to avoid CloudMensis infection.