Threat Research

I see what you did there: A look at the CloudMensis macOS spyware

Securonix

CloudMensis is a macOS backdoor that spies on victims by exfiltrating documents, keystrokes, and screen captures, and communicates with its operators exclusively via public cloud storage services. It uses a two-stage architecture where the first stage downloads and executes the second stage from cloud storage (notably via pCloud). #CloudMensis #pCloud

Keypoints

  • CloudMensis is a macOS backdoor that communicates with operators via public cloud storage services (pCloud, Yandex Disk, Dropbox) to exfiltrate data.
  • It operates in a two-stage sequence: a downloader fetches and installs a second-stage spy agent from the cloud storage provider.
  • The downloader writes the second stage as a system-wide daemon, requiring root privileges to persist.
  • CloudMensis bypasses macOS privacy controls (TCC) to access screen capture, keyboard events, and removable media, using techniques including CVE-2020-9934.
  • It uses a custom FlowEncrypt scheme and stores configuration in an encrypted plist, capable of merging values from older configuration files.
  • The malware supports 39 commands (e.g., screen capture, file listing, shell execution) and uses cloud storages for C2 and data exfiltration (CloudCmd, CloudData, CloudShell).

MITRE Techniques

  • [T1543.004] Create or Modify System Process: Launch Daemon – The CloudMensis downloader installs the second stage as a system-wide daemon. (‘the CloudMensis downloader installs the second stage as a system-wide daemon.’)
  • [T1553] Subvert Trust Controls – CloudMensis tries to bypass TCC if possible. (‘CloudMensis tries to bypass TCC if possible.’)
  • [T1560.002] Archive Collected Data: Archive via Library – CloudMensis uses SSZipArchive to create a password-protected ZIP archive of data to exfiltrate. (‘Archive Collected Data: Archive via Library CloudMensis uses SSZipArchive to create a password-protected ZIP archive of data to exfiltrate.’)
  • [T1056.001] Input Capture: Keylogging – CloudMensis can capture and exfiltrate keystrokes. (‘CloudMensis can capture and exfiltrate keystrokes.’)
  • [T1113] Screen Capture – CloudMensis can take screen captures and exfiltrate them. (‘CloudMensis can take screen captures and exfiltrate them.’)
  • [T1005] Data from Local System – CloudMensis looks for files with specific extensions. (‘CloudMensis looks for files with specific extensions.’)
  • [T1025] Data from Removable Media – CloudMensis can search removable media for interesting files upon their connection. (‘CloudMensis can search removable media for interesting files upon their connection.’)
  • [T1114.001] Email Collection: Local Email Collection – CloudMensis searches for interesting email messages and attachments from Mail. (‘CloudMensis searches for interesting email messages and attachments from Mail.’)
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – The CloudMensis initial report is encrypted with a public RSA-2048 key. (‘The CloudMensis initial report is encrypted with a public RSA-2048 key.’)
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – CloudMensis encrypts exfiltrated files using password-protected ZIP archives. (‘CloudMensis encrypts exfiltrated files using password-protected ZIP archives.’)
  • [T1102.002] Web Service: Bidirectional Communication – CloudMensis uses Dropbox, pCloud, or Yandex Drive for C&C communication. (‘CloudMensis uses Dropbox, pCloud, or Yandex Drive for C&C communication.’)
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – CloudMensis exfiltrates files to Dropbox, pCloud, or Yandex Drive. (‘CloudMensis exfiltrates files to Dropbox, pCloud, or Yandex Drive.’)

Indicators of Compromise

  • [SHA-1] D7BF702F56CA53140F4F03B590E9AFCBC83809DB – mdworker3 (Downloader/execute)
  • [SHA-1] 0AA94D8DF1840D734F25426926E529588502BC08 – WindowServer, myexe (Spy agent/Client)
  • [Public key] RSA public key used to encrypt the initial report –
    —–BEGIN PUBLIC KEY—– MIIBIjANB… (truncated in summary) …—–END PUBLIC KEY—–
  • [Path] /Library/WebServer/share/httpd/manual/WindowServer
  • [Path] /Library/LaunchDaemons/.com.apple.WindowServer.plist
  • [Path] ~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver
  • [Path] ~/Library/Containers/com.apple.Notes/Data/Library/.CFUserTextDecoding
  • [Path] ~/Library/Application Support/com.apple.spotlight/Resources_V3/.CrashRep

Read more: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/