Researchers from ESET discovered a macOS backdoor called CloudMensis. This backdoor spies on users of compromised Macs and with the use of public cloud storage, communicates to and fro with its operators. The intention of the operators, as derived from the backdoor’s capabilities, seems to gather information from the victims’ Macs b exfiltrating documents and keystrokes, listing email messages and attachments, listing files from removable storage and screen captures.
CloudMensis’ limited distribution suggests that it is a target operation. According to ESET Research, operators of this malware family deploy CloudMensis to specific targets that are of interest to them. The execution also suggests that the operator are trying to maximize the success of their spying operations.
It is still unknown how CloudMensis is distributed and who the targets are. Researchers are also suggesting that the authors might not be very familiar with Mac development and are not so advanced. The general quality of the code and lack of obfuscation suggests this. However, CloudMensis was created with the use of lot of resources to make it a powerful spy tool and a menace to the designated targets.
Apple recently acknowledges the prsenece of spyware targeting users of their products. The company is previewing Lockdown Mode on iOS, iPadOS and macOS. This disables features frequently exploited to gain code execution and deploy malware.
