Mysterious MacOS Spyware Discovered Using Public Cloud Storage as Control Server

Researchers have warned that little is known about the ‘CloudMensis’ malware, including how it is distributed and who is behind it


Image: Apple

MacOS users have been warned that new spyware has been discovered using a previously undocumented backdoor to steal sensitive data from compromised Macs.

By overriding sensitive data such as keystrokes, screenshots, and email attachments, the spyware uses public cloud storage such as Yandex Disk, pCloud, and Dropbox as its command and control channel (C2). While such use of cloud storage has been observed in Windows malware, researchers noted that this is an unusual tactic in the Mac ecosystem.

The malware, encoded in Objective-C, was discovered by ESET researchers who named it “CloudMensis” in a blog post. The method by which the malware first compromises its victims’ Macs is still unknown.


Lack of clarity about this delivery mechanism, as well as the threat actors’ identities and goals, has prompted researchers to warn all macOS users to exercise caution and keep systems up to date. However, as only a limited number of systems are affected at this time, CloudMensis is not currently classified as high risk.

Once present on a victim’s Mac, the first stage of CloudMensis downloads a second stage of public cloud storage, and both are written to disk. Once installed, CloudMensis receives commands from its operators through this cloud storage and sends encrypted copies of files through it.

A total of 39 commands can be activated, allowing the malware to change configuration values, execute shell commands, and display files from removable storage, among other things.

To bypass macOS’ privacy protection system Transparency, Consent and Control (TCC), CloudMensis adds items to grant itself permissions. If the victim is using a version of macOS older than Catalina 10.15.6, CloudMensis will exploit a known vulnerability (CVE-2020-9943) to load a TCC database that can be written to.

Metadata discovered by ESET indicated that the threat actors behind the spyware are separately deploying CloudMensis for interesting targets, rather than spreading it as widely as possible.

No clues to the intended targets have been found in the metadata, and using cloud storage as its C2 makes the threat actors behind it difficult to identify. ESET has been given access to metadata of the cloud storage services in use, indicating that the unknown threat actors started sending commands on February 4, 2022.

“We still don’t know how CloudMensis is initially distributed and who its targets are,” said ESET researcher Marc-Etienne Léveillé, a member of the CloudMensis team.

“The overall quality of the code and lack of obfuscation show that the authors may not be very familiar with Mac development and not that advanced. Nevertheless, a lot of resources have gone into making CloudMensis a powerful spy tool and a threat to potential targets.” to make.”

Zero-day vulnerabilities used by the group have not been identified, so Macs that are regularly updated may be at lower risk.

MacOS malware tends to be rarer than Windows malware for several reasons, including the fact that Windows PC’s increased market share provides a better target for cybercriminals.

Apple has recognized the threat of spyware like Pegasus and will introduce a new ‘Lockdown Mode’ on iOS, iPad OS and macOS in the fall.

© Dennis Publishing

Read more: macOS malware public cloud security spyware

Get in Touch

Related Articles

Get in Touch


Latest Posts