Security researchers have found a new CloudMensis malware that targets macOS to steal sensitive information from victims.
Threat actors use previously undetected malware to backdoor macOS devices and exfiltrate information in a highly targeted series of attacks.
ESET Security researchers named the malware “CloudMensis” because it exclusively uses public cloud storage services to communicate with its operators. Specifically, it leverages pCloud, Yandex Disk, and Dropbox to receive commands and exfiltrate files.
Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware.
CloudMensis capabilities clearly show that its main objective is to collect sensitive information from Victim Macs through various means.
“We still do not know how CloudMensis is initially distributed and who the targets are,” explained ESET researcher Marc-Etienne Léveillé.
The malware comes with support for dozens of commands, allowing its operators to perform a long list of actions on infected Macs, including:
- Change values in the CloudMensis configuration: cloud storage providers and authentication tokens, file extensions deemed interesting, polling frequency of cloud storage, etc.
- List running processes
- Start a screen capture
- List email messages and attachments
- List files from removable storage
- Run shell commands and upload the output to cloud storage
- Download and execute arbitrary files
Analyzing CloudMensis code and its lack of obfuscation shows that the threat actors may not be very familiar with Mac development and are not so advanced.
Threat actors infected the first Mac with CloudMensis on February 4, 2022. Since then, they’ve only sporadically used the backdoor to target and compromise other Macs, hinting at the campaign’s highly targeted nature.
Although the threat actors behind this campaign are exploiting vulnerabilities to circumvent macOS mitigations, ESET didn’t find any zero-days during its research. System administrators were therefore urged to ensure any corporate Macs are running an up-to-date OS to help mitigate the threat.
CloudMensis is a threat to Mac users, but it’s very limited distribution suggests that it is used as part of a targeted operation. From what we have seen, operators of this malware family deploy CloudMensis to specific targets that are of interest to them. But the malware operators are actively trying to maximize the success of their spying operations.