A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.
Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.
The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.
All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.
Spyware in the Cloud
The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.
"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."
This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."
While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.
Attribution, Victimology Remain a Mystery
So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).
However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.
"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.
Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.
"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."
However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.
"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.
M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.
"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS [to bypass security mitigations]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."
How to Protect Your Business from CloudMensis & Spyware
To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.
Researchers also recommended turning on Apple's new Lockdown Mode feature.
"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."
Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.
"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."