CloudMensis Detection: New Malware to Steal macOS Users’ Data

CloudMensis macOS Spyware

New CloudMensis malware springs into action with highly targeted attacks. Researchers have yet to establish the techniques attackers used to gain initial access to victims’ devices; however, the small number of documented attacks happened since February indicate that the CloudMensis malware was deployed to exfiltrate information as part of a targeted campaign aimed at a certain and limited number of targets – far from being used in a less effective spray-and-pray approach.

The malware first got on security radars in April 2022. Researchers discovered that its main goal was to collect sensitive data from infected devices, spying on compromised users. CloudMensis uses public cloud storage like Dropbox, pCloud, and Yandex Disk for C2 communication, with its key targets being the machines running on Intel or Apple chips.

Detect CloudMensis

To help individual users and organizations better protect their infrastructure, our keen Threat Bounty developer Onur Atali has recently released a Sigma rule that enables speedy CloudMensis malware detection. Registered users can download these rules from SOC Prime’s Detection as Code platform:

CloudMensis macOS Spyware Detect (via file_event)

The detection can be used across 20+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic with User Execution (T1204) technique.

Adepts at cybersecurity are more than welcome to join the Threat Bounty Program to share their Sigma rules with the community of 28,000+ users and 600 Threat Bounty Program researchers and threat hunters, who actively contribute their own detection content to the SOC Prime Platform while receiving recurring rewards for their input.

Explore the Threat Detection Marketplace repository of the SOC Prime Platform by hitting the Detect & Hunt button to swiftly identify sophisticated threats in rapidly expanding environments. SOC Prime’s detection content library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats. Striving to keep up with the latest trends shaping the current cyber threat landscape and dive into relevant threat context? Try out SOC Prime’s Search Engine! Press the Explore Threat Context button to instantly navigate the pool of the top threats and newly released Sigma rules, exploring relevant contextual information in a one-stop shop.

Detect & Hunt Explore Threat Context

CloudMensis Analysis

Cybersecurity firm ESET has shone a spotlight on previously undocumented spyware written in the Objective-C language, used to compromise devices running on macOS operating system. The first infection happened in early February 2022, with more attacks following, reads the analysis published by ESET researchers.

When hackers obtain administrative privileges, the CloudMensis payload is deployed in a two-stage process. The first stage is characterized by the download and execution of the main payload as a system-wide daemon. The analyzed malware sample allowed researchers to identify 39 commands implemented, allowing to launch such processes as starting a screen capture, running shell commands, fetching and running arbitrary files, changing values in the CloudMensis configs, listing email messages and files from removable storage, etc.

Cyber actors routinely exploit poor security configurations and other poor cyber hygiene practices to increase their hit list. SOC Prime equips information security professionals with a proper toolset for a high-level visibility into existing and emerging threats.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts