ESET researchers have spotted a new malware in April 2022 that can backdoor macOS and exfiltrate information. The malware was named CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication. Based on the operation of the malware, it is clear that the unknown threat actor’s main objective is to collect sensitive information from its infected victims. The malware comes with support for dozens of commands, allowing its operators to perform a long list of actions on infected Macs, including:
- Change values in the CloudMensis configuration: cloud storage providers and authentication tokens, file extensions deemed interesting, polling frequency of cloud storage, etc.
- List running processes
- Start a screen capture
- List email messages and attachments
- List files from removable storage
- Run shell commands and upload the output to cloud storage
- Download and execute arbitrary files
The initial distribution method of CloudMensis is unknown but based on the general quality of the code and the use of C-programming, it is likely that the threat actor is not familiar with the macOS platform.
CloudMensis can also bypass macOS security features such as the Transparency Consent and Control (TCC), which is used for macOS users to grant permissions to apps downloaded on a Mac. The TCC rules created by users are saved within a database protected by System Integrity Protection (SIP). If SIP is disabled. CloudMensis will grant itself permissions. If SIP is enabled, but users are running a macOS version before Catalina 10.15.6, CloudMensis exploits CVE-2020-9943, which was patched by Apple two years ago.