The cybersecurity company ESET identified a computer virus that is capable of stealing data from users of Mac computers, They would do this through different techniques such as a keylogger with which cybercriminals are able to know the passwords and other information that people type on their computer keyboards.
Something interesting about this cyber attack called by the organization as CloudMensisis that it uses public access platforms for cloud storage as the malware host, since it is downloaded in two phases.
This method of intervening and infecting user devices in two steps is not new, as it had already been seen in a similar case in which the platform used by the criminals was Discord. But in this case, the curious is how they manage to get the file that arrives on the computer for the first time to connect with the second file that is contained in the cloud storage service, thus installing the virus that is what will allow the attackers access system information, thus stealing data such as account numbers and bank passwords.
But in addition, cyber criminals not only access people’s personal data through the keylogger but also have access to take screenshots.
Nevertheless, attacks on Apple operating systems are not new and even the same company recently created the tool for lock down that allows to block the functions that are normally intervened by criminals in order to get to the important information contained in the computer.
The head of the ESET Latin America research laboratory explains that this spyware was designed for intel and apple and although it is unknown how it came to attack users, it is certain that when the virus manages to take control of the system, a two-stage process is generated. “The first stage downloads and executes the second stage with more features. Interestingly, the first-stage malware retrieves the next-stage malware from a cloud storage provider.” explains the expert.
Furthermore, this malware does not make use of a public link but includes an access code to download the file named “MyExecute” from the drive. Specifically, in the sample analyzed by Eset, it was used pCloud to store and deliver the second stage.
According to the files that have been downloaded in both phases, it is calculated that the creators have named the malware as Execute and Client which as already mentioned, the first is the downloader, that is, its function is to download and install the second virus, which is the spyware in question, running on computers as a program that works in the backgroundand that is why it goes unnoticed by users.
On the other hand, as suggested by ESET, CloudMensis could be circulating on the web for several years, This is because after the investigation it was discovered that the first Malware, that is, the one that works as a downloader, contained a component called removeRegistration whose function was to take advantage of 4 Safari vulnerabilities (previously sealed by Apple) to then act with exploits, which is another type of attack in which control of networks is taken or personal information is stolen from systems and computers.
As for the second CloudMensis malware, it is a much more complex computer component because it is the one that intervenes in Mac computers, it comes in a compressed form because it includes several functions with which it searches collect documents, screenshots, email attachments and other personal data.
Finally, cybercriminals make use of cloud storage to keep the stolen information, the platforms they used are pCloud, Yandex Disk and Dropbox.