Researchers Uncover Unusual MacOS Spyware Leveraging Public Cloud Storage for Command and Control Functions
Security experts have issued a warning regarding a newly discovered MacOS spyware that exploits an undisclosed backdoor to steal confidential information from compromised Macs. Termed ‘CloudMensis’ by ESET researchers, this malicious software silently records keystrokes, captures screenshots, and exfiltrates email attachments. Surprisingly, the spyware uses popular public cloud storage platforms such as Yandex Disk, pCloud, and Dropbox as its communication channel, a tactic rarely observed within the Mac ecosystem.
While the infiltration method employed by CloudMensis remains a mystery, researchers advise all MacOS users to exercise caution and regularly update their systems due to the lack of clarity surrounding the malware’s delivery mechanism and the intentions of the threat actors. Nevertheless, as the spyware appears to have affected only a limited number of systems thus far, it has not been classified as a high-risk threat.
Once present on a victim’s Mac, CloudMensis employs a two-stage process, leveraging public cloud storage to download and install additional malicious components. The compromised device then receives commands from the operators through the cloud storage platform and transmits encrypted copies of files. Remarkably, CloudMensis supports 39 different commands, enabling the malware to modify its configuration settings, execute shell commands, and retrieve files from removable storage, among other functions.
To circumvent macOS’ privacy protection system Transparency, Consent, and Control (TCC), CloudMensis adds entries that grant itself permissions. If the victim’s Mac runs an older macOS version prior to Catalina 10.15.6, the spyware exploits a known vulnerability (CVE-2020-9943) to load a TCC database that it can manipulate.
The metadata acquired by ESET reveals that the threat actors behind CloudMensis have selectively targeted specific individuals with the spyware, rather than seeking widespread distribution. Unfortunately, these metadata do not provide any indication of the intended targets, making the identification of the perpetrators challenging. ESET discovered that the unknown threat actors initiated command transmissions on February 4, 2022, using the cloud storage services.
Marc-Etienne Léveillé, a member of the ESET research team investigating CloudMensis, expressed, “We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation suggests that the authors may not be well-versed in Mac development and are not particularly advanced. Nevertheless, CloudMensis exhibits extensive capabilities as a powerful espionage tool, posing a threat to potential targets.”
For users who regularly update their Macs, the risk of encountering this malware is potentially lower, as no zero-day vulnerabilities have been identified in the group’s arsenal.
Compared to Windows, MacOS malware is relatively uncommon, primarily due to the smaller market share of Macs, which offers cybercriminals a less lucrative target. However, Apple recognizes the presence of spyware threats like Pegasus and plans to introduce a new security feature called ‘Lockdown Mode’ in the upcoming versions of iOS, iPad OS, and macOS.