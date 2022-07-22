



Previously unknown macOS spyware has arrived in a targeted campaign. This campaign steals documents, keystrokes, screen captures and more from your Apple machine. Interestingly, payload containment and command-and-control (C2) communication uses only public cloud storage services as a rare design choice that makes threat tracking and analysis difficult.

A backdoor called CloudMensis was developed in Objective-C by ESET researchers who discovered it. According to ESET’s analysis of malware released this week, after the first breach, cyber attackers behind the campaign will use known vulnerabilities to gain code execution and privilege escalation. Then install the first stage loader component to get the actual spyware payload from your cloud storage provider. The sample analyzed by the company used pCloud to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets out to collect large amounts of sensitive data from compromised Macs such as files, email attachments, messages, voice recordings, keystrokes and more. Overall, the researchers said they support 39 different commands, including directives to download additional malware.

All illegally retrieved data is encrypted using the public key located on the spy agent. According to ESET, decryption requires a private key owned by the CloudMensis operator.

Spyware in the cloud

Aside from the fact that Mac spyware is a rare discovery, analysis shows that the most notable aspect of the campaign is the exclusive use of cloud storage.

“Cloud Mensis perpetrators create accounts with cloud storage providers such as Dropbox and pCloud,” ESET senior malware researcher Marc-Etienne M. Lveill tells Dark Reading. “CloudMensis Spyware includes authentication tokens that allow you to upload and download files from these accounts. When an operator sends a command to one of your bots, it uploads the file to cloud storage. The CloudMensis Spy Agent Fetch the file, decrypt it, and execute the command. The result of the command is encrypted and uploaded to cloud storage for operator download and decryption. “

This technique means that the malware sample does not include a domain name or IP address, “without such an indicator, it would be difficult to track the infrastructure and block CloudMensis at the network level. “I will,” he adds.

It’s a notable approach, but it’s been used in the PC world by groups such as Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, “I think it’s the first time I’ve seen this with Mac malware,” said M. Lveill.

Attribution, victimology remains a mystery

So far, things have been cloudy when it comes to the source of the threat. One of the obviouss is that espionage is traditionally an area of ​​advanced persistent threats (APTs), so the perpetrator’s intent is espionage and intellectual property theft, providing clues as to the type of threat. There is a possibility.

However, the artifacts that ESET could discover from the attack do not show any relevance to known operations.

“We couldn’t attribute this campaign to a known group because of code similarity or infrastructure,” says M. Lveill.

Another clue: This campaign usually firmly targets the characteristics of more sophisticated actors.

“The cloud storage account metadata used by CloudMensis revealed that the sample analyzed ran on 51 Macs between February 4th and April 22nd,” said M. Lveill. Says. Unfortunately, “There is no information about the victim’s geographic location or vertical orientation because the file has been deleted from the cloud storage.”

However, in opposition to the APT-like side of the campaign, ESET says the advanced levels of malware itself are not very impressive.

According to the report, “The general quality of the code and the lack of obfuscation indicate that the author is not very familiar with Mac development and may not be very advanced.”

M. Lveill has characterized CloudMensis as a moderately advanced threat and pointed out that unlike NSO Group’s formidable Pegasus spyware, CloudMensis does not incorporate zero-day exploits into its code.

“I’ve never seen Cloud Mensis use a private vulnerability to circumvent Apple’s security barriers,” says M. Lveill. “But it turns out that CloudMensis uses a known vulnerability (also known as 1 or n days) on Macs that aren’t running the latest version of macOS. [to bypass security mitigations].. Since we don’t know how CloudMensis spyware is installed on the victim’s Mac, the victim may be using a private vulnerability for that purpose, but we can only guess. This puts CloudMensis somewhere in the middle of the sophisticated scale, above average, but also the least sophisticated. “

How to Protect Your Business from CloudMensis and Spyware

According to ESET, using vulnerabilities to circumvent macOS mitigations to avoid being victimized by CloudMensis threats is the company’s first line of defense to run the latest Macs. Means there is. In this case, the vector of the first breach is unknown, but implementing all the remaining basics, such as strong passwords and phishing awareness training, is also a good defense.

Researchers also recommended turning on Apple’s new lockdown mode feature.

According to the analysis, “Apple recently acknowledged the existence of spyware targeting users of its products and previewed lockdown mode on iOS, iPadOS, and macOS, which makes it more frequent for code execution and malware deployment. Features that are abused by will be disabled. ” “Disable entry points at the expense of user experience liquidity seems like a reasonable way to reduce the attack surface.”

In particular, M. Lveill warns companies not to fall into the false sense of security when it comes to Macs. Mac-targeted malware has traditionally been less prevalent than the threats of Windows and Linux, but it is changing now.

“Companies using Macs in their fleets need to protect their Macs in the same way they protect computers running Windows and other operating systems,” he warns. “Mac sales are increasing year by year, making users an interesting target for financially motivated criminals. For state-sponsored threat groups, to adapt to the target and carry out missions. There are also resources for developing the required malware. Operating system. “

Sources 1/ https://Google.com/ 2/ https://www.darkreading.com/threat-intelligence/mysterious-cloud-enabled-macos-spyware The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos