Security researchers warn macOS users of a newly discovered malware variant that steals sensitive data from vulnerable Macs via an undocumented backdoor.

The malware uses public cloud storage like Yandex Disk and Dropbox as its command and control (C2) channel to steal data such as keystrokes and email attachments.

Although Windows malware used similar cloud storage exploits in the past, experts emphasize that the strategy is new to the Mac ecosystem.

ESET researchers were the first to identify the virus, written in Objective-C and dubbed ‘CloudMensis’ in a blog post. The malware’s earliest stages and initial access method are currently unknown.

Stay safe, stay updated

Due to the lack of information about the delivery technique and the incentives of threat actors, ESET researchers advise all macOS users to be careful and keep their devices up-to-date. Because it has only been shown to harm a small number of systems, CloudMensis has not been classified as a critical risk.

When CloudMensis is installed on a victim’s Mac, the first phase retrieves a second stage from public cloud storage services. Both are saved to disk. Once implemented, CloudMensis uses cloud storage to accept orders from its operators and provide encrypted data copies.

It started in February

CloudMensis changes settings to authorize itself and circumvent macOS’ integrated security system. If the victim uses an earlier version of macOS than Catalina 10.15.6, CloudMensis will use a known vulnerability (CVE-2020-9943) to load a writeable TCC database on a victim’s device.

ESET discovered metadata indicating that the malware’s distributors are deploying CloudMensis to specific targets rather than distributing it as widely as possible. This suggests that CloudMensis is spyware.

The information contains no hints about the intended targets. CloudMensis’ use of C2 makes it extremely difficult to identify the threat actors behind it. According to metadata from cloud storage providers obtained by ESET, the threat actors began to operate sometime around February 4th.

Tip: Apple launches extreme security feature to guard against spyware