ESET discovers CloudMensis malware that spies on Mac users

Deepak Gupta July 26, 2022
Updated 2022/07/26 at 4:21 PM

Researchers at ESET, a leading European cybersecurity solutions company, discovered a hitherto unknown macOS malware that spies on Mac users.

According to the information, this CloudMensis malware exclusively uses public cloud storage services to communicate with its operators.

CloudMensis can steal documents, emails, take screenshots, etc...

Dubbed CloudMensis by ESET, its capabilities clearly show that the operators' intention is to gather information about victims' Macs by stealing documents, keyboard-typed information, emails, attachments, files on external storage and screenshots.

According to ESET's investigation, the operators of this malware deploy it on specific targets they are interested in. Exploitation of vulnerabilities to circumvent macOS security mitigations shows that CloudMensis operators are actively trying to maximize the success of their spy campaign.

However, ESET did not detect any zero-day vulnerabilities being used by the group, so it recommends that Mac users update their systems to at least avoid bypassing security mitigations.

ESET discovers CloudMensis malware that spies on Mac users

CloudMensis uses cloud storage both to receive commands from its operators and to steal files. It supports three different providers: pCloud, Yandex Disk and Dropbox.

The configuration included in the analyzed sample contains codes and authentication for pCloud and Yandex Disk. The metadata from these services revealed interesting details about the operation, including that commands started being passed to bots on February 4, 2022.

ESET discovers CloudMensis malware that spies on Mac users

Once CloudMensis obtains code execution and administration privileges, it runs a first stage malware that will fetch the second stage from a cloud storage service. This second phase consists of a much larger component, packed with features to collect information from the compromised Mac. The attackers' intention here is clearly to steal documents, email attachments, screenshots and other sensitive data. In total, there are 39 commands available.

Apple recently recognized the presence of spyware targeting users of its products, announcing Lockdown Mode on iOS, iPadOS and macOS, which disables features often exploited to gain access to code execution and malware implementation.

fbq('init', '1664527397186427'); // Insert your pixel ID here.
fbq('track', 'PageView');
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = "//";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));

Share this Article
Leave a comment

Leave a Reply

Your email address will not be published.