Skip to content

ESET Research discovers new threat to Mac users: CloudMensis spies on them in targeted operation

  • ESET researchers discovered a previously unknown macOS backdoor that spies on users of compromised Macs.
  • ESET has named the malware CloudMensis because it uses cloud storage services to communicate with the operators and uses the names of months as directory names.
  • This macOS malware uses cloud storage as its Command and Control channel, supporting three different providers: pCloud, Yandex Disk, and Dropbox.
  • CloudMensis can issue 39 commands, including exfiltrating documents, keystrokes, and screen captures, from compromised Macs.
  • Metadata from the cloud storage services used reveal that the first Mac compromised by this recent campaign was on February 4, 2022.
  • The very limited distribution of CloudMensis suggests that it is used as part of a targeted operation.

BRATISLAVA, MONTREAL — JULY 19, 2022 —  ESET researchers discovered a previously unknown macOS backdoor that spies on users of compromised Macs and exclusively uses public cloud storage services to communicate back and forth with its operators. Named CloudMensis by ESET, its capabilities clearly show that the intent of the operators is to gather information from the victims’ Macs by exfiltrating documents and keystrokes, listing email messages and attachments, listing files from removable storage, and screen captures.

CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation. From what ESET Research has seen, operators of this malware family deploy CloudMensis to specific targets that are of interest to them. The use of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations. At the same time, no undisclosed vulnerabilities (zero days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.

“We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets,” explains ESET researcher Marc-Etienne Léveillé, who analyzed CloudMensis.

Once CloudMensis gains code execution and administrative privileges, it runs a first-stage malware that retrieves a more featureful second stage from a cloud storage service.

This second stage is a much larger component, packed with a number of features to collect information from the compromised Mac. The intention of the attackers here is clearly to exfiltrate documents, screenshots, email attachments, and other sensitive data. Altogether, there are 39 commands currently available.

CloudMensis uses cloud storage both for receiving commands from its operators and for exfiltrating files. It supports three different providers: pCloud, Yandex Disk, and Dropbox. The configuration included in the analyzed sample contains authentication tokens for pCloud and Yandex Disk.

Metadata from the cloud storage services used reveal interesting details about the operation, for example that it started to transmit commands to the bots as of February 4, 2022.

Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware.

For more technical information about CloudMensis, check out the blogpost “I see what you did there: a look at the CloudMensis macOS spyware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Outline of how CloudMensis uses cloud storage services

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Good Finance Chooses CyberLink’s FaceMe® Facial Recognition Technology to Perform Identity Verification for Its Online Banking Services


CyberLink’s FaceMe Fintech solution combines the latest ID authentication, facial recognition and liveness detection technologies, ensuring intuitive, accurate and secure identity validation to Good Finance’s online banking customers.

Taipei, Taiwan – July 19, 2022 – CyberLink Corp., a pioneer of AI and facial recognition technologies, has partnered with Good Finance to integrate its AI facial recognition engine, FaceMe into Good Finance’s eKYC (Electronic Know Your Customer) account opening process. By using their mobile device camera, customers can validate their identity and remotely sign all necessary documents. The FaceMe solution is convenient for new customers who don’t need to visit their local branch, and eliminates the potential for human errors inherent to manual identity verification.

A streamlined experience – integrating identity verification into online banking app

Good Finance implemented CyberLink’s FaceMe AI facial recognition engine into its mobile app and portal to eliminate the need for new online banking customers to visit a physical branch when performing certain operations such as opening an account. Customers can complete the verification process remotely by simply uploading a picture of their ID to the Good Finance app and following the live face capture prompts within the app. Identity is instantly verified, accuracy is guaranteed and no time is lost.

 

Secure multi-factor authentication with FaceMe’s ID verification and liveness detection

As important as verifying the photo ID’s authenticity, FaceMe’s AI technology accurately validates that the person in front of the camera is the one on the ID. To prevent identity fraud, FaceMe supports liveness detection and anti-spoofing. It can detect whether a real person is in front of the camera (not a photo or video) and check that it is not an impostor wearing a prosthetic mask.

 

“CyberLink provides legally compliant, top-ranked facial recognition to the eKYC process, and meets all needs and requirements of the financial industry in Taiwan,” said Daniel Chen, Product Manager of Good Finance. “After careful consideration, we chose to partner with CyberLink, to offer our customers an enhanced online experience, while improving internal operating efficiency. After only a few months since debuting the integration of FaceMe in our eKYC service, Good Finance has helped nearly 300 online customers successfully open new accounts. We appreciate the partnership with CyberLink and their support and effort.”

 

“Accurate and secure identity validation of online customers, also known as eKYC, is a top priority across the banking, insurance and security industries, as well as any organization engaged in fintech. AI facial recognition is the perfect technology to address this important matter,” said Dr. Jau Huang, Chairman and CEO of CyberLink. “We are honored that Good Finance chose FaceMe to perform online identity validation. FaceMe’s industry leading accuracy, anti-spoofing and overall performance uniquely meet eKYC’s demanding requirements and play a key role in taking fintech to a new level of excellence.”

 

FaceMe is the most versatile facial recognition offering on the market today. With a 99.7% accuracy rate and secure built-in liveness and anti-spoofing capabilities, FaceMe can run on edge devices (mobile phones, tablets) as well as banks’ internal servers. The solution’s availability and optimized performance across platforms and environments help developers create new fintech applications and quickly test and deploy them in the market.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CyberLink
Founded in 1996, CyberLink Corp. (5203.TW) is the world leader in multimedia software and AI facial recognition technology. CyberLink addresses the demands of consumer, commercial and education markets through a wide range of solutions, covering digital content creation, multimedia playback, video conferencing, live casting, mobile applications and AI facial recognition.  CyberLink has shipped several hundred million copies of its multimedia software and apps, including the award-winning PowerDirector, PhotoDirector, and PowerDVD.  With years of research in the fields of artificial intelligence and facial recognition, CyberLink has developed the FaceMe® Facial Recognition Engine. Powered by deep learning algorithms, FaceMe® delivers the reliable, high-precision, and real-time facial recognition that is critical to AIoT applications such as smart retail, smart security, and surveillance, smart city and smart home. For more information about CyberLink, please visit the official website at www.cyberlink.com

ICS / OT Security News Update | SCADAfence – July 15

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

Continue reading