Mail server

Mysterious MacOS spyware found using public cloud storage as control server

MacOS users have been warned that new spyware has been discovered using a previously undocumented backdoor to steal sensitive data from compromised Macs.

Collecting sensitive data such as keystrokes, screenshots and email attachments, the spyware uses public cloud storage such as Yandex Disk, pCloud and Dropbox as a command and control channel (C2). Although such use of cloud storage has been observed in Windows malware, researchers noted that this is an unusual tactic in the Mac ecosystem.

The malware, coded in Objective-C, was discovered by ESET researchers who named it “CloudMensis” in a blog post. The method by which the malware first compromises its victims’ Macs is still unknown.

The lack of clarity around this delivery mechanism, as well as the identity and goals of the threat actors, has prompted researchers to warn all macOS users to be cautious and keep systems up to date. However, as it has been found to only affect a limited number of systems, CloudMensis has not currently been labeled as high risk.

Once present on the victim’s Mac, the first stage of CloudMensis downloads a second stage from public cloud storage, and both are written to disk. Once installed, CloudMensis receives commands from its operators through this cloud storage and sends encrypted copies of files through it.

A total of 39 commands can be activated allowing the malware to, among other things, change its configuration values, execute shell commands and list files from removable storage.

To bypass the macOS Transparency, Consent and Control (TCC) privacy protection system, CloudMensis adds entries to grant itself permissions. If the victim is running a version of macOS earlier than Catalina 10.15.6, CloudMensis will exploit a known vulnerability (CVE-2020-9943) to load a TCC database it can write to.

Metadata discovered by ESET indicated that the threat actors behind the spyware are individually deploying CloudMensis to targets of interest, rather than spreading it as far as they can.

No clues to intended targets were found in the metadata, and the use of cloud storage as its C2 makes threat actors difficult to identify. ESET has accessed metadata from the cloud storage services used which indicates that the unknown threat actors started sending commands on February 4, 2022.

“We still don’t know how CloudMensis is initially distributed and who the targets are,” said ESET researcher Marc-Etienne Léveillé, a member of the team studying CloudMensis.

“The general quality of the code and the lack of obfuscation shows that the authors may not be very familiar with Mac development and are not that advanced. Nevertheless, a lot of resources have been invested in making CloudMensis a powerful tool espionage and a threat to potential targets.

No zero-day vulnerabilities have been identified as being used by the group, so regularly updated Macs potentially pose less risk.

MacOS malware is generally rarer than Windows malware, for a multitude of reasons, including the fact that the larger market share of Windows PCs gives cybercriminals a better target.

Apple has recognized the threat of spyware such as Pegasus and is set to introduce a new “lockdown mode” on iOS, iPad OS and macOS in the fall.

Featured Resources

Your key to digital differentiation and competence

DBaaS transformation: database services suitable for application modernization, cloud-native innovation and data-driven strategies

Free download

An analysis of the European cyber threat landscape

2022 human risk assessment

Free download

CIAM Buyer’s Guide

Finding the right CIAM solution to capture and retain customers, fuel business growth, and keep customers safe

Free download

The CIO Imperative: Leading the Digital Future

Reinvent how you differentiate yourself through technology

Free download