CloudMensis, a form of malware specifically designed to exploit macOS systems, was first brought to light by ESET in July 2022. The software infiltrates devices primarily through email attachments, causing significant security breaches once inside. Once installed, CloudMensis works diligently to identify where System Integrity Protection (SIP) is disabled, enabling it to load its own malicious database onto the compromised system. This malware is also known by several other names including InkSquid, RedEyes, BadRAT, Reaper, and ScarCruft.
In a targeted campaign last year, an unknown macOS spyware named "CloudMensis" surfaced, exfiltrating vast amounts of data from Apple machines. The extracted information included documents, keystrokes, screen captures, and more, demonstrating the comprehensive threat this malware poses. CloudMensis was identified by APT37, a group notorious for their persistent cyber threats. The malware attempts to dump the access table from the TCC database, further compromising the security of infected systems.
The primary malware used by APT37 is RokRAT, also known as DOGCALL. This backdoor has been adapted to various platforms including macOS (under the name CloudMensis) and Android (as RambleOn), indicating that it is being actively developed and maintained. The presence of CloudMensis on multiple platforms underscores the pervasive threat posed by this malware and the group behind it.
Description last updated: 2024-05-04T21:51:01.902Z