'CloudMensis' Mac Malware Can Take Screenshots, Loot Files

pcmag.com:

Security firm ESET has uncovered a new Mac-based malware that can secretly spy on a user’s computer by capturing screenshots, keystrokes, and stealing files. 

ESET discovered(Opens in a new window) the Mac malware in April and concluded that the hackers seem to be distributing the malicious program selectively to perhaps only several victims per week.   

The security firm is calling the threat “CloudMensis” because it relies on cloud storage apps from services including Dropbox, Yandex, Disk, and pCloud, to download additional components to power the malware. “It doesn’t use a publicly accessible link; it includes an access token to download the MyExecute file from the (cloud storage) drive,” ESET said.  

The cloud storage drives also act as a way for the hacker to send a wide variety of commands to the malware and receive the stolen files. “The intention of the attackers here is clearly to exfiltrate documents, screenshots, email attachments, and other sensitive data,” ESET added. 

The big mystery is how CloudMensis infects Macs. ESET still isn’t sure, making it unclear how users can protect themselves from the threat. Somehow, the hackers have also been gaining administrative privileges on targeted Macs to modify the necessary system files. 

Still, the company did uncover some interesting computer code in the malware, which shows it was designed to abuse four vulnerabilities in macOS previously patched in 2017. This suggests CloudMensis “may have been around for many years,” ESET said. 

Another interesting feature is how CloudMensis has been designed to steal files with the ​​.hwp and .hwpx extensions, which are files for South Korean-based Hancom Office software. The malware’s computing code also shows it’s capable of