The first-stage component includes an interesting method called removeRegistration that seems to be present to clean up after a successful Safari sandbox escape exploit. CloudMensis downloader installing the second stage Cleaning up after usage of a Safari exploit In the sample we analyzed, pCloud was used to store and deliver the second stage.įigure 4.
It doesn’t use a publicly accessible link it includes an access token to download the MyExecute file from the drive. Interestingly, this first-stage malware retrieves its next stage from a cloud storage provider.
However, we understand that when code execution and administrative privileges are gained, what follows is a two-stage process (see Figure 1), where the first stage downloads and executes the more featureful second stage. We still do not know how victims are initially compromised by this threat. Samples we analyzed are compiled for both Intel and Apple silicon architectures. CloudMensis overviewĬloudMensis is malware for macOS developed in Objective-C. This blogpost describes the different components of CloudMensis and their inner workings. Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface. Although not the most advanced malware, CloudMensis may be one of the reasons some users would want to enable this additional defense. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.Īpple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS and macOS, which disables features frequently exploited to gain code execution and deploy malware.
Following analysis, we named it CloudMensis. In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs