Cloudmensis

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

CloudMensis, a form of malware specifically designed to exploit macOS systems, was first brought to light by ESET in July 2022. The software infiltrates devices primarily through email attachments, causing significant security breaches once inside. Once installed, CloudMensis works diligently to identify where System Integrity Protection (SIP) is disabled, enabling it to load its own malicious database onto the compromised system. This malware is also known by several other names including InkSquid, RedEyes, BadRAT, Reaper, and ScarCruft. In a targeted campaign last year, an unknown macOS spyware named "CloudMensis" surfaced, exfiltrating vast amounts of data from Apple machines. The extracted information included documents, keystrokes, screen captures, and more, demonstrating the comprehensive threat this malware poses. CloudMensis was identified by APT37, a group notorious for their persistent cyber threats. The malware attempts to dump the access table from the TCC database, further compromising the security of infected systems. The primary malware used by APT37 is RokRAT, also known as DOGCALL. This backdoor has been adapted to various platforms including macOS (under the name CloudMensis) and Android (as RambleOn), indicating that it is being actively developed and maintained. The presence of CloudMensis on multiple platforms underscores the pervasive threat posed by this malware and the group behind it.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
DOGCALL	1	Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
ROKRAT	1	RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
Rambleon	1	RambleOn is a newer version of the ROKRAT malware, specifically designed for Android devices. ROKRAT, also known as DOGCALL, has been a favored tool of cyber attackers and has evolved over time to be compatible with various platforms including macOS (CloudMensis) and Android (RambleOn). This demonst
Inksquid	1	None
Badrat	1	None
Redeyes	1	RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seek
Reaper	1	Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
ScarCruft	1	ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Macos

Malware

Backdoor

Android

Spyware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lazarus Group	Unspecified	1	The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
APT37	Unspecified	1	APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Cloudmensis Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	3 months ago	DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading	3 months ago	DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
Checkpoint	a year ago	Chain Reaction: ROKRAT’s Missing Link - Check Point Research
DARKReading	a year ago	MacStealer Malware Plucks Bushels of Data From Apple Users
CERT-EU	a year ago	macOS Under Attack: Examining the Growing Threat and User Perspectives
CERT-EU	a year ago	North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
CERT-EU	a year ago	macOS Under Attack: Examining the Growing Threat and User Perspectives