New ‘CloudMensis’ malware uses cloud storage to spy on Mac users


AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Researchers from cybersecurity firm ESET have discovered previously unknown macOS malware that leverages cloud storage to spy on compromised devices.

The malware, which the team has nicknamed CloudMensis, is a macOS backdoor that can exfiltrate keystrokes, documents, screenshots, and other data from an affected Mac. It can also list emails, attachments, and files from removable storage.

CloudMensis uses publicly available cloud storage systems, such as pCloud, Yandex Disk, and Dropbox, to communicate with its operators. It uses month names as directory names.

According to security researchers, the very first Mac compromised by CloudMensis was attacked on February 4, 2022. This suggests that the malware is a recent entry into the broader Mac ecosystem.

The malware however has a very limited distribution. This hints at much more targeted operations, with researchers claiming that malware operators choose specific targets that interest them.

At this point, it does not appear that the malware used is zero-day vulnerabilities. Instead, it uses previously known flaws to circumvent macOS mitigations. For this reason, a properly updated Mac should be relatively safe from malware.

Once CloudMensis obtains code execution and administrative privileges, it executes another malware that fetches a feature-rich second stage. This second step has around 39 monitoring commands designed to collect information from compromised Macs.

“We still don’t know how CloudMensis is initially distributed and who the targets are,” said researcher Marc-Etienne Leveille. “The general quality of the code and the lack of obfuscation shows that the authors may not be very familiar with Mac development and are not that advanced. Nevertheless, a lot of resources have been invested in making CloudMensis a useful development tool. ‘powerful espionage and a threat to potential targets.’

Who is at risk and how to protect yourself

Since the malware appears to be a targeted campaign, most Mac users are safe from CloudMensis. As noted by ESET security researchers, keeping a Mac up to date is also an effective mitigation against the attack.

It’s also a good idea to only download apps from sources you explicitly trust, such as the Mac App Store.


About Author

Comments are closed.