How does it accomplish this?
In an attempt to bypass the various security features built-in to macOS, such as escaping the Safari sandbox and bypassing specific Transparency, Consent and Controls (TCC), CloudMensis uses multiple n-day exploits. It also leverages cloud storage services as its means of sending commands to victim computers. The cloud storage providers used by this malware are pCloud, Yandex Disk and Dropbox.
Not the first but not the last either
While this is not the first malware on macOS utilizing cloud storage for command and control (C2), it is among the most recent making its rounds in the wild. For example, earlier this year the Gimmick malware used Google Drive as its means of C2 as well.
Jamf’s got your six
Jamf Protect has been updated to protect against all known samples of CloudMensis as of July 19, 2022. In the event that your endpoints have yet to be updated, rest assured that Jamf Protect’s behavioral detections will trigger alerts upon detecting various stages of this malware. This includes attempts to bypass or exploit TCC, alongside the creation of specific launch daemons.
IoCs as published by ESET
Interested in getting to know the Jamf Threat Labs team?
Learn more about what they do and how their work contributes to keeping Jamf customers safe.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.