- Researchers have spotted a never-seen-before macOS spyware in the wild.
- It’s not the most advanced malware and relies on people’s poor security hygiene to achieve its objectives.
- Still, comprehensive security mechanisms, such as Apple’s upcoming Lockdown mode, are the need of the hour, argue security experts.
Security researchers have spotted a new macOS spyware that exploits already patched vulnerabilities to work around protections built into macOS. Its discovery highlights the importance of keeping up with operating system updates.
Dubbed CloudMensis, the previously unknown spyware, spotted by researchers at ESET, exclusively uses public cloud storage services such as pCloud, Dropbox, and others to communicate with the attackers, and for exfiltrating files. Worryingly, it exploits a plethora of vulnerabilities to bypass macOS’ built-in protections to steal your files.
“Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures,” wrote ESET researcher Marc-Etienne M.Léveillé. “Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations.”
ESET researchers first spotted the new malware in April 2022 and realized it could attack both the older Intel and the newer Apple silicon-based computers.
Perhaps the most striking aspect of the spyware is that after being deployed on a victim’s Mac, CloudMensis doesn’t shy away from exploiting unpatched Apple vulnerabilities with the intention of bypassing the macOS Transparency Consent and Control (TCC) system.
TCC is designed to prompt the user to grant apps permission to take screen captures or monitor keyboard events. It blocks apps from accessing sensitive user data by enabling macOS users to configure privacy settings for apps installed on their systems and devices connected to their Macs, including microphones and cameras.
The rules are saved within a database protected by the System Integrity Protection (SIP), which ensures that only the TCC daemon can modify the database.
Based on their analysis, the researchers state that CloudMensis uses a couple of techniques to bypass TCC and avoid any permission prompts, gaining unhindered access to the sensitive areas of the computer, such as the screen, removable storage, and the keyboard.
On computers with SIP disabled, the spyware will simply grant itself permissions to access the sensitive devices by adding new rules to the TCC database. However, on computers on which SIP is active, CloudMensis will exploit known vulnerabilities to trick TCC to load a database the spyware can write to.
“We typically assume when we purchase a Mac product it is completely safe from malware and cyber threats, but that is not always the case,” George Gerchow, Chief Security Officer, Sumo Logic, told Lifewire in an email exchange.
Gerchow explained the situation is even more worrying these days with many people working from home or in a hybrid environment using personal computers. "This combines personal data with enterprise data, creating a pool of vulnerable and desirable data for hackers," noted Gerchow.
While the researchers suggest running an up-to-date Mac to at least prevent the spyware from bypassing TCC, Gerchow believes the proximity of personal devices and enterprise data calls for the use of comprehensive monitoring and protection software.
"Endpoint protection, frequently used by enterprises, can be installed individually by [people] to monitor and protect entry points on networks, or cloud-based systems, from sophisticated malware and evolving zero-day threats," suggested Gerchow. "By logging data, users can detect new, potentially unknown traffic and executables within their network."
It might sound like overkill, but even the researchers aren’t averse to using comprehensive protections to shield people against spyware, referring to the Lockdown Mode Apple is set to introduce on iOS, iPadOS, and macOS. It’s meant to give people an option to easily disable features that attackers frequently exploit to spy on people.
"Although not the most advanced malware, CloudMensis may be one of the reasons some users would want to enable this additional defense [the new Lockdown mode]," noted the researchers. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."