ESET researchers have spotted a new malware in April 2022 that can backdoor macOS and exfiltrate information. The malware was named CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication. Based on the operation of the malware, it is clear that the unknown threat actor’s main objective is to collect sensitive information from its infected victims. The malware comes with support for dozens of commands, allowing its operators to perform a long list of actions on infected Macs, including:
- Change values in the CloudMensis configuration: cloud storage providers and authentication tokens, file extensions deemed interesting, polling frequency of cloud storage, etc.
- List running processes
- Start a screen capture
- List email messages and attachments
- List files from removable storage
- Run shell commands and upload the output to cloud storage
- Download and execute arbitrary files
The initial distribution method of CloudMensis is unknown but based on the general quality of the code and the use of C-programming, it is likely that the threat actor is not familiar with the macOS platform.
CloudMensis can also bypass macOS security features such as the Transparency Consent and Control (TCC), which is used for macOS users to grant permissions to apps downloaded on a Mac. The TCC rules created by users are saved within a database protected by System Integrity Protection (SIP). If SIP is disabled. CloudMensis will grant itself permissions. If SIP is enabled, but users are running a macOS version before Catalina 10.15.6, CloudMensis exploits CVE-2020-9943, which was patched by Apple two years ago.
The malware is distributed sporadically, and the infection vector is unknown. No undisclosed vulnerabilities were found to be used by the malware, so anyone using an up-to-date version of macOS should be protected. macOS users should also ensure they do not have SIP disabled, as SIP ensures that any TCC rules that are used to grant permissions to any downloaded app are followed – this helps to ensure that no app can be downloaded and run without the consent of the macOS user.