Person using an iPhone to capture sensitive data using the camera.

July 19, 2022 by Jamf Threat Labs

CloudMensis malware stealing your joy? Jamf’s got you covered!

Jamf Protect, Security, Jamf Threat Labs

CloudMensis is a new macOS spyware discovered by ESET. Researchers noted that this malware’s primary goal is to exfiltrate data, such as documents, keystrokes, screen captures, emails and other potentially sensitive data.

How does it accomplish this?

In an attempt to bypass the various security features built-in to macOS, such as escaping the Safari sandbox and bypassing specific Transparency, Consent and Controls (TCC), CloudMensis uses multiple n-day exploits. It also leverages cloud storage services as its means of sending commands to victim computers. The cloud storage providers used by this malware are pCloud, Yandex Disk and Dropbox.

Not the first but not the last either

While this is not the first malware on macOS utilizing cloud storage for command and control (C2), it is among the most recent making its rounds in the wild. For example, earlier this year the Gimmick malware used Google Drive as its means of C2 as well.

Jamf’s got your six

Jamf Protect has been updated to protect against all known samples of CloudMensis as of July 19, 2022. In the event that your endpoints have yet to be updated, rest assured that Jamf Protect’s behavioral detections will trigger alerts upon detecting various stages of this malware. This includes attempts to bypass or exploit TCC, alongside the creation of specific launch daemons.

IoCs as published by ESET

File Paths /Library/WebServer/share/httpd/manual/WindowServer /Library/LaunchDaemons/.com.apple.WindowServer.plist ~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver ~/Library/Containers/com.apple.Notes/Data/Library/.CFUserTextDecoding ~/Library/Containers/com.apple.languageassetd/loginwindow ~/Library/Application Support/com.apple.spotlight/Resources_V3/.CrashRep Mach-O Hashes D7BF702F56CA53140F4F03B590E9AFCBC83809DB 0AA94D8DF1840D734F25426926E529588502BC08 C3E48C2A2D43C752121E55B909FC705FE4FDAEF6

Interested in getting to know the Jamf Threat Labs team?

Learn more about what they do and how their work contributes to keeping Jamf customers safe.

Meet the JTL

Jamf Threat Labs

Jamf

Jamf Threat Labs is comprised of experienced threat researchers, cybersecurity experts and data scientists, with skills that span penetration testing, network monitoring, malware research and app risk assessment primarily focused on Apple and mobile ecosystems.

Previous Blog Post:
Prev
Jamf After Dark: Everything You Need to Know about JNUC 2022 Blog Homepage
Next Blog Post:
Next
Jamf and PKI: A strong foundation for Zero Trust security

Related Resources

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

Email Address (Work)

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

CloudMensis malware stealing your joy? Jamf’s got you covered!

How does it accomplish this?

Not the first but not the last either

Jamf’s got your six

IoCs as published by ESET

Interested in getting to know the Jamf Threat Labs team?

What is Jamf Threat Labs?

How Apple keeps Mac safe from malware and what admins should know about it

Jamf Threat Labs identifies Safari vulnerability allowing for Gatekeeper bypass