Novel CloudMensis spyware targets Apple macOS users


Malware researchers dubbed CloudMensis use cloud storage to exfiltrate documents, keystrokes, and screen captures from compromised Macs.

The previously unknown strain of malware backdoors Mac devices and exclusively uses public cloud storage services to communicate back and forth with its operators, researchers at cybersecurity firm ESET claim.

“Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures,” reads the recently published report.

ADVERTISEMENT

Researchers claim that malware strains like CloudMensis could be the reason Apple users would like to enable the recently introduced ‘Lockdown Mode,’ meant to help high-value targets protect from unwanted attention.

ESET first discovered the malware in April 2022. Dubbed CloudMensis, the spyware uses pCloud, Yandex Disk, and DropBox services for command-and-control (C2) communication.

As of now, researchers could not determine how the infected computers were compromised. However, the team at ESET figured out that once the attack was carried out in two stages. When the malware is first deployed and executed, it retrieves the second stage from a cloud storage provider.

“The second stage of CloudMensis is a much larger component, packed with a number of features to collect information from the compromised Mac. The intention of the attackers here is clearly to exfiltrate documents, screenshots, email attachments, and other sensitive data,” researchers claim.

Commands that malware allows its operators to implement point to a data gathering exercise. Threat actors can make the infected devices list running processes, start a screen capture, list email messages, and attachments, list files from removable storage, run shell commands and upload the output to cloud storage, as well as download and execute arbitrary files.

Researchers claim that their investigation points to the first use of CloudMensis malware on 4 February. The malware was used relatively sparsely, hinting at narrowly targeted attacks by its operators.

Known macOS vulnerabilities were exploited to work around macOS mitigation. However, since no zero-day vulnerabilities were used to run the malware, users are advised to run the latest macOS version.

ADVERTISEMENT