![mac os cloud services mac os cloud services](https://cloudsmallbusinessservice.com/wp-content/uploads/2017/08/Cloud-Backup-for-Mac-and-Windows-Encrypted-Online-Backup-Arq-Backup.pdf.png)
All four were patched by Apple the same year, so this distribution technique is probably not used to install CloudMensis anymore. These vulnerabilities were discovered and well documented by Niklas Baumstark and Samuel Groß in 2017. We initially thought the purpose of removeRegistration was to uninstall previous versions of CloudMensis, but further research showed that these files are used to launch sandbox and privilege escalation exploits from Safari while abusing four vulnerabilities. A first glance at this method is a bit puzzling considering that the things it does seem unrelated: it deletes a file called root from the EFI system partition (Figure 5), sends an XPC message to speechsynthesisd (Figure 6), and deletes files from the Safari cache directory. The first-stage component includes an interesting method called removeRegistration that seems to be present to clean up after a successful Safari sandbox escape exploit. CloudMensis downloader installing the second stage Cleaning up after usage of a Safari exploit In the sample we analyzed, pCloud was used to store and deliver the second stage.įigure 4.
#MAC OS CLOUD SERVICES DOWNLOAD#
It doesn’t use a publicly accessible link it includes an access token to download the MyExecute file from the drive. Interestingly, this first-stage malware retrieves its next stage from a cloud storage provider.
#MAC OS CLOUD SERVICES CODE#
However, we understand that when code execution and administrative privileges are gained, what follows is a two-stage process (see Figure 1), where the first stage downloads and executes the more featureful second stage. We still do not know how victims are initially compromised by this threat. Samples we analyzed are compiled for both Intel and Apple silicon architectures. CloudMensis overviewĬloudMensis is malware for macOS developed in Objective-C.
![mac os cloud services mac os cloud services](https://www.techbooky.com/wp-content/uploads/2018/05/icloud.png)
This blogpost describes the different components of CloudMensis and their inner workings. Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface. Although not the most advanced malware, CloudMensis may be one of the reasons some users would want to enable this additional defense.
![mac os cloud services mac os cloud services](https://i.ytimg.com/vi/wFmK2nGfkas/maxresdefault.jpg)
Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.Īpple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS and macOS, which disables features frequently exploited to gain code execution and deploy malware. Following analysis, we named it CloudMensis. In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs