The question of whether Macs are less susceptible to viruses has long been debated.
Now macOS spyware, named CloudMensis after detailed analysis conducted by Eset researchers, has been discovered as a backdoor that lets hackers spy on users of compromised Macs.
It exclusively uses public cloud storage services to communicate back and forth with its operators, enabling them to gather information from victims’ computers by exfiltrating documents, keystrokes and screen captures.
Described as a “powerful spying tool” by the researchers, it’s not clear how the virus is initially distributed and who the targets are, although it doesn’t have any undisclosed (zero-day) vulnerabilities.
It’s created to work through popular cloud platforms DropBox as well as pCloud, Yandex Disk, and Eset’s analysis of the code suggests CloudMensis may have been around for many years.
The quality of the code and lack of obfuscation suggests the creators are not very advanced or familiar with Mac development, the researchers believe, although it is able to bypass Apple’s own security protections.
“Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximise the success of their spying operations,” the researchers said.
Gains admin access to do its dirty work
Once the CloudMensis spyware is executed and administrative privileges are gained, it sets off a two-stage process to release and act on its payload.
It includes authentication tokens to multiple cloud service providers enabling it to interact with cloud storage providers for receiving commands from its operators and for exfiltrating files.
The first-stage malware is set to download and then retrieve the second-stage malware, the spyagent client, as a system-wide daemon.
It’s this larger, second component that contains the instructions to collect information from a compromised Mac.
Since the release of macOS Mojave (10.14) in 2018, Macs have used a Transparency, Consent, and Control (TCC) system to protect access to access to some sensitive inputs, such as screen captures, cameras, microphones, and keyboard events.
However, the CloudMensis spyware bypasses these in-built security protocols, which avoids prompting the user to provide permissions, potentially leaving them unaware of the presence of malware on their infected device.
Ultimately the malware can list processes running on the infected devices, start a screen capture, list emails and attachments, list files form removable storage, upload password-protected files to cloud storage, and download and run arbitrary files.
“The intention of the attackers here is clearly to exfiltrate documents, screenshots, email attachments, and other sensitive data,” said the Eset researchers.
Apple helping users shut down malware risks
Apple is responding to the threats posed by spyware with a new feature called Lockdown Mode.
To be rolled out across macOS Ventura, iOS 16 and iPadOS 16, the company described it as an extreme option for additional protection where users face grave, targeted threats to their digital security.
Apple says this feature hardens existing device defences and strictly limits certain functionalities in a bid to severely reduce the attack surface that could potentially be exploited by attackers.
Among the restrictions, most message attachment types other than images are blocked, certain complex web technologies are disabled, incoming invitations and service requests are blocked without a previous call or request, wired connections are blocked while locked and configuration profiles cannot be installed, and the device cannot enrol into mobile device management (MDM).
The company has also taken the extra step of offering rewards to researchers who discover Lockdown Mode bypasses or improvements.
Apple has also pledged to give $14.5 million (US$10 million) and any damages awarded from the lawsuit filed against NSO Group over its spyware to the Dignity and Justice Fund which is working to expose mercenary spyware and protect potential targets.