Mysterious MacOS spyware discovered using public cloud storage as its control server

MacOS users have been warned that a new spyware has been discovered using a previously undocumented backdoor to steal sensitive data from compromised Macs.

Lifting sensitive data such as keystrokes, screen captures, and email attachments, the spyware uses public cloud storage such as Yandex Disk, pCloud, and Dropbox as its command and control (C2) channel. Although such use of cloud storage has been observed in Windows malware, researchers noted that this is an unusual tactic in the Mac ecosystem.

The malware, coded in Objective-C, was discovered by ESET researchers who named it 'CloudMensis' in a blog post. The method by which the malware first compromises the Macs of its victims is still unknown.

Lack of clarity around this delivery mechanism, as well as the identity and goals of the threat actors, has prompted researchers to warn all MacOS users to be cautious and keep systems up-to-date. However, as it has currently been seen to affect only a limited number of systems, CloudMensis has not currently been labelled high risk.

Once present on a victim’s Mac, the first stage of CloudMensis downloads a second stage from public cloud storage, and both are written to disk. Once installed, CloudMensis receives commands from its operators through this cloud storage, and sends encrypted copies of files through it.

A total of 39 commands can be activated allowing the malware to, among other things, change its configuration values, run shell commands, and list files from removable storage.

To bypass macOS’ privacy protection system Transparency, Consent and Control (TCC), CloudMensis adds entries to grant itself permissions. If the victim is running a version of macOS predating Catalina 10.15.6, CloudMensis will exploit a known vulnerability (CVE-2020-9943) to load a TCC database that it can write to.

Metadata uncovered by ESET indicated that the threat actors behind the spyware are individually deploying CloudMensis to targets of interest, rather than spreading it as far as they can.

No clues to the intended targets have been found in the metadata, and the use of cloud storage as its C2 makes the threat actors behind it difficult to identify. ESET accessed metadata from the cloud storage services in use that indicates that the unknown threat actors began to send commands on February 4, 2022.

“We still do not know how CloudMensis is initially distributed and who the targets are,” said ESET researcher Marc-Etienne Léveillé, a member of the team that is looking into CloudMensis.

“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”

No zero-day vulnerabilities have been identified as in use by the group, so Macs that are regularly updated are potentially at lower risk.

MacOS malware is typically rarer than Windows malware, for a multitude of reasons including the fact that the larger market share of Windows PCs gives cybercriminals a better target.

Apple has acknowledged the threat of spyware such as Pegasus, and is set to introduce a new ‘Lockdown Mode’ on iOS, iPad OS and macOS in the autumn.