A zip attachment contains an iso with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Cybercrime, CloudMensis targets macOS users
CloudMensis targets macOS users. ESET cybersecurity experts: The malware, a backdoor, exclusively uses public cloud storage services to communicate back and forth with its operators
CloudMensis is a new malware targeting macOS users. This have been detected by ESET cybersecurity experts, who discovered the backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ PCs by exfiltrating documents, keystrokes, and screen captures. Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS and macOS, which disables features frequently exploited to gain code execution and deploy malware. CloudMensis is developed in Objective-C. When code execution and administrative privileges are gained, what follows is a two-stage process, where the first one downloads and executes the more featureful second one. Interestingly, this first-stage malware retrieves its next stage from a cloud storage provider. It doesn’t use a publicly accessible link; it includes an access token to download the MyExecute file from the drive.