Newly Discovered CloudMensis Malware Attacking Compromised Macs


A newly discovered Malware for Macs, known as CloudMensis, is unfortunately making the rounds. Reports today indicate that cybersecurity researchers have discovered a previously unknown macOS backdoor that is capable of spying on users with compromised Macs.

Discovered by the cybersecurity firm ESET, the malware has been named CloudMensis due to the way it utilizes cloud storage services. The company discovered the first Mac was compromised Feb. 4, 2022.

CloudMensis Malware Attacks Macs Through Cloud Storage

CloudMensis uses public cloud storage services to communicate with its operators. Reports from ESET show that the intent of the operators is to gather information from Mac victims via exfiltrating documents and keystrokes, listing email messages and attachments and listing files from removable storage and screen captures.

Marc-Etienne Léveillé, an ESET researcher, believes the operators may not have a firm understanding of Mac development.

In a statement, Léveillé said,

We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets,

Reports also suggest that this malware is a targeted operation, as CloudMensis seems to have limited distribution so far. According to ESET, operators of this malware family utilize CloudMensis against specific targets that may be of interest to them.

Operators are able to use vulnerabilities within macOS to work around mitigations. However, research also suggests that no zero day vulnerabilities are currently being used by the group. This means that keeping your Mac up-to-date can, at the very least, avoid the mitigation bypass.

How CloudMensis Works

CloudMensis aims to gain control of code execution and administrative privileges. To accomplish this, it runs a first-stage malware that retrieves more features from a second stage in thanks to a cloud storage service.

A diagram outlining how CloudMensis utilizes cloud storage services to execute attacks. (Photo Credit: ESET Research.)

Cloud storage services include pCloud, Yandex Disk and Dropbox. CloudMensis utilizes cloud storage for receiving commands from operators and exfiltrating files.

If the malware is able to reach the second stage, there is much more it is capable of doing. In total, 39 commands await this stage, all with the intent of harvesting as much information as possible from compromised Macs. Research stated that here the attackers are attempting to exfiltrate documents, screenshots, email attachments and other sensitive data.

Apple Enters a Lockdown

This comes at a time when Apple recently introduced Lockdown Mode for iOS 16, iPadOS 16 and macOS Ventura. Lockdown Mode is extreme and optional protection for those that face targeted digital security threats.

Once Lockdown Mode is active, Apple blocks message attachments in Messaging, turns off several features while browsing the web and blocks incoming invitations and service requests. For example, it will block FaceTime calls if the user has not previously sent a call or request to the other user.

Additionally, locking the phone will block wired connections and configuration profiles cannot be installed. The phone is also incapable of enrolling in mobile device management.

Apple stated they will add more features later on. Cupertino is also starting an Apple Security Bounty program to help strengthen security features.

With the recent news of Pegasus attacking several protestors in Thailand, it’s good to see Apple is taking some rather extreme measure to protect users. Concerning CloudMensis, whether or not these are random attacks or specific targets remains to be seen.

As always, make sure that your devices are running the most up-to-date software to best protect your device.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.