IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mysterious MacOS spyware discovered using public cloud storage as its control server

Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it

MacOS users have been warned that a new spyware has been discovered using a previously undocumented backdoor to steal sensitive data from compromised Macs.

Lifting sensitive data such as keystrokes, screen captures, and email attachments, the spyware uses public cloud storage such as Yandex Disk, pCloud, and Dropbox as its command and control (C2) channel. Although such use of cloud storage has been observed in Windows malware, researchers noted that this is an unusual tactic in the Mac ecosystem.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

The malware, coded in Objective-C, was discovered by ESET researchers who named it 'CloudMensis' in a blog post. The method by which the malware first compromises the Macs of its victims is still unknown.

Lack of clarity around this delivery mechanism, as well as the identity and goals of the threat actors, has prompted researchers to warn all MacOS users to be cautious and keep systems up-to-date. However, as it has currently been seen to affect only a limited number of systems, CloudMensis has not currently been labelled high risk.

Once present on a victim’s Mac, the first stage of CloudMensis downloads a second stage from public cloud storage, and both are written to disk. Once installed, CloudMensis receives commands from its operators through this cloud storage, and sends encrypted copies of files through it.

A total of 39 commands can be activated allowing the malware to, among other things, change its configuration values, run shell commands, and list files from removable storage.

To bypass macOS’ privacy protection system Transparency, Consent and Control (TCC), CloudMensis adds entries to grant itself permissions. If the victim is running a version of macOS predating Catalina 10.15.6, CloudMensis will exploit a known vulnerability (CVE-2020-9943) to load a TCC database that it can write to.

Metadata uncovered by ESET indicated that the threat actors behind the spyware are individually deploying CloudMensis to targets of interest, rather than spreading it as far as they can.

No clues to the intended targets have been found in the metadata, and the use of cloud storage as its C2 makes the threat actors behind it difficult to identify. ESET accessed metadata from the cloud storage services in use that indicates that the unknown threat actors began to send commands on February 4, 2022.

“We still do not know how CloudMensis is initially distributed and who the targets are,” said ESET researcher Marc-Etienne Léveillé, a member of the team that is looking into CloudMensis.

“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

No zero-day vulnerabilities have been identified as in use by the group, so Macs that are regularly updated are potentially at lower risk.

MacOS malware is typically rarer than Windows malware, for a multitude of reasons including the fact that the larger market share of Windows PCs gives cybercriminals a better target.

Apple has acknowledged the threat of spyware such as Pegasus, and is set to introduce a new ‘Lockdown Mode’ on iOS, iPad OS and macOS in the autumn.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Zoom patches privilege escalation flaw for macOS users
Security

Zoom patches privilege escalation flaw for macOS users

16 Aug 2022
How to take a screenshot on MacOS
operating systems

How to take a screenshot on MacOS

18 Jul 2022
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022