- CloudMensis spies on users of the compromised Mac.
- It uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures.
- It is developed in Objective-C and compiled for both Intel and Apple silicon architectures.
ESET pinpoints a new macOS spyware, CloudMensis. Apple has also recently acknowledged that there is spyware targeting its products and previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware. ESET stated that the backdoor spies on the compromised Mac and communicates by using public cloud storage services with its operators.
Uses cloud storage to communicate
CloudMensis, developed in Objective-C, is compiled for both Intel and Apple architectures. ESET published a blog post about the malware and stated that although how victims are compromised by this threat is still unclear, ESET noticed that it gains code execution and administrative privileges. In the first phase of the two-stage process, it downloads and executes the second stage which includes more features. Malware retrieves the second stage from a cloud storage provider.
The link being used is not publicly accessible and it includes an access token to download the MyExecute file from the drive. The first-stage malware downloads and installs the second-stage malware as a system-wide daemon. Two files are written to disk:
- /Library/WebServer/share/httpd/manual/WindowServer: the second-stage Mach-O executable, obtained from the pCloud drive
- /Library/LaunchDaemons/.com.apple.WindowServer.plist: a property list file to make the malware persist as a system-wide daemon
Both directories require root privileges to be modified. Thus, at this point, the attacker already has administrative privileges. ESET researchers said,
« CloudMensis is a threat to Mac users, but its very limited distribution suggests that it is used as part of a targeted operation. From what we have seen, operators of this malware family deploy CloudMensis to specific targets that are of interest to them. Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations. At the same time, no undisclosed vulnerabilities (zero-days) were found to be used by this group during our research. Thus, running an up-to-date Mac is recommended to avoid, at least, the mitigation bypasses.
We still do not know how CloudMensis is initially distributed and who the targets are. The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets. »