Security researchers have discovered the existence of a new macOS software that exploits patched vulnerabilities to bypass the security in macOS. This discovery highlights the necessity of staying up to date with OS system upgrades.

It’s been dubbed CloudMensis The previously undiscovered software, spotted by researchers at ESET It exclusively makes use of public cloud storage providers like pCloud, Dropbox, and others to connect with criminals and to steal files. In addition, it utilizes a variety of weaknesses to bypass macOS’ built-in security to steal your data.

“Its capabilities show clearly that the intention of its creators is to collect data from users’ Macs via the exfiltration of files keys, keystrokes, as well as screen recordings,” wrote ESET researcher Marc-Etienne M.Leveille. “Usage of weaknesses to circumvent macOS mitigations reveals that malware operators are actively working to make the most of their spying activities.”

Persistent Spyware

ESET researchers first noticed the threat in early April of 2022. discovered that it could infect both the older Intel as well as the latest Apple silicon-based machines.

One of the most striking aspects of the malware is that, after it’s been installed on the user’s Mac, CloudMensis doesn’t shy in exploiting not-patched Apple weaknesses with the aim of evading TCC. macOS Transparency Consent and Control (TCC) system.

TCC is designed to remind users to give apps permission to take screen shots or to monitor keyboard events. It prevents programs from accessing personal information of users by allowing macOS users to customize privacy settings for applications installed on their computers and other devices that are connected to Macs which includes cameras and microphones.

The rules are kept in the database that is protected by system integrity Protection (SIP), which makes sure it is only the TCC daemon has the ability to alter the database.

Based on their findings they conclude that CloudMensis utilizes a few methods to get around TCC and eliminate any requests for permission, while gaining full access to the most sensitive portions of your computer like screens, the removable memory and even the keyboard.

For computers that have SIP disengaged, the program will grant itself permissions to gain access to the devices by making changes to TCC’s database. TCC database. However, on computers which SIP is in use, CloudMensis will exploit known vulnerabilities to force TCC to open a file that the spyware could write to.

Take Care to Protect Yourself

“We generally assume that when we buy the Mac product that it’s free of malware and cyber dangers, but that’s often not the situation.” George Gerchow Chief Security Officer of Sumo Logik spoke to Lifewire via email.

Gerchow explains that the issue is more alarming in the present, when a large number of people are working from home or within a hybrid setting using personal computers. “This is a way of combining personal information with company data and creates a pool of sensitive and valuable data for cybercriminals,” noted Gerchow.

Also Read: Micropower Labs-A Pakistani startup with customer base in 35 countries

Although the researchers recommend that you use an up-to-date Mac to stop the malware from bypassing TCC Gerchow is of the opinion that the interplay between personal devices as well as enterprise data warrants the use of a comprehensive surveillance and protection software.

“Endpoint protection, commonly used by businesses can be set up individually by individuals to protect the entry points to networks, or cloud-based systems from sophisticated malware and emerging zero-day threats” advised Gerchow. “By recording data, users can identify the emergence of new, unidentified traffic and executables on their networks.”

It could appear like an overkill and unnecessary, but researchers aren’t afraid of having a comprehensive security system to protect individuals from spyware, pointing to Lockdown mode Apple will implement for iOS, iPadOS, and macOS. It’s designed to provide users with the ability to disable the features that hackers often exploit to monitor individuals.

“Although it isn’t the most advanced security software, CloudMensis may be one of the main reasons why some users might want to enable this additional security feature [the new Lockdown mode”” stated the researchers. “Disabling the entry point, but at the cost of a more sluggish user experience seems like a sensible option to decrease the threat surface.


Please enter your comment!
Please enter your name here