A previously unknown macOS backdoor, called CloudMensis, gathers information from victims by exfiltrating documents, keystrokes and screen captures from compromised Macs.
The backdoor was discovered by ESET researchers in April and disclosed on Tuesday. Researchers don’t know how the malware is initially distributed or who the targets are, but its “limited distribution” - with 51 victims observed between February and April - suggests it may be used as part of a very targeted operation. The malware does not appear to be advanced, they said, but its powerful spying capabilities and ability to leverage various Apple vulnerabilities to work around macOS mitigations are concerning.
“The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced,” said Marc-Etienne M.Léveillé with ESET in a Tuesday analysis. “Nonetheless a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets.”
While researchers couldn’t pinpoint the distribution method for CloudMensis, after code execution and administrative privileges are gained by attackers the malware follows a two-stage process. The first-stage malware downloads the second-stage malware by retrieving it from a cloud storage provider. This stage also includes a process called removeRegistration that appears to launch sandbox exploits from Safari and abuse four previously disclosed flaws that were fixed in 2017.
“We initially thought the purpose of removeRegistration was to uninstall previous versions of CloudMensis, but further research showed that these files are used to launch sandbox and privilege escalation exploits from Safari while abusing four vulnerabilities,” said researchers.
“Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations."
Once downloaded, the second-stage of the malware proceeds with exfiltrating documents, screenshots, email attachments and other data. The malware also exclusively leverages public cloud storage services to communicate with its operators, said researchers.
“CloudMensis uses cloud storage both for receiving commands from its operators and for exfiltrating files,” they said. “It supports three different providers: pCloud, Yandex Disk, and Dropbox. The configuration included in the analyzed sample contains authentication tokens for pCloud and Yandex Disk.”
CloudMensis uses two techniques to attempt to bypass Apple’s Transparency, Consent and Control (TCC) security protection system, which has been in Apple devices since the release of macOS Mojave (10.14) in 2018. TCC is used to protect access to sensitive inputs like screen captures, cameras or microphones by prompting the user if an application tries to access these functions. TCC rules are saved into a database on the Mac where they are protected by System Integrity Protection (SIP) so that only the TCC daemon can make changes. If SIP is disabled, CloudMensis adds entries to grant itself permissions before using sensitive inputs. However, if SIP is enabled the malware exploits a previously fixed vulnerability (CVE-2020-9934) that stems from the handling of environment variables and can force the TCC daemon to load a database that has been manipulated by CloudMensis.
“Usage of vulnerabilities to work around macOS mitigations shows that the malware operators are actively trying to maximize the success of their spying operations,” said researchers.
Despite novel malware families being disclosed over the past few years - including one used in a watering-hole attack on Hong Kong websites in order to steal data, record audio and more - Apple has taken steps to add security safeguards to its devices. One recently announced protection, Apple Lockdown Mode, was designed to provide a new level of security for device users at a serious risk of highly targeted attacks, for instance.