CloudMensis malware stealing your joy? Jamf’s got you covered!

CloudMensis is a new macOS spyware discovered by ESET. Researchers noted that this malware’s primary goal is to exfiltrate data, such as documents, keystrokes, screen captures, emails and other potentially sensitive data.

July 19 2022 by

Jamf Threat Labs

Person using an iPhone to capture sensitive data using the camera.

How does it accomplish this?

In an attempt to bypass the various security features built-in to macOS, such as escaping the Safari sandbox and bypassing specific Transparency, Consent and Controls (TCC), CloudMensis uses multiple n-day exploits. It also leverages cloud storage services as its means of sending commands to victim computers. The cloud storage providers used by this malware are pCloud, Yandex Disk and Dropbox.

Not the first but not the last either

While this is not the first malware on macOS utilizing cloud storage for command and control (C2), it is among the most recent making its rounds in the wild. For example, earlier this year the Gimmick malware used Google Drive as its means of C2 as well.

Jamf’s got your six

Jamf Protect has been updated to protect against all known samples of CloudMensis as of July 19, 2022. In the event that your endpoints have yet to be updated, rest assured that Jamf Protect’s behavioral detections will trigger alerts upon detecting various stages of this malware. This includes attempts to bypass or exploit TCC, alongside the creation of specific launch daemons.

IoCs as published by ESET

Interested in getting to know the Jamf Threat Labs team?

Learn more about what they do and how their work contributes to keeping Jamf customers safe.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.