Researchers from ESET have shed light on a new macOS backdoor, discovered in April 2022, dubbed CloudMensis. At first glance this is just the latest example of spyware targeting the Apple operating system with the intent of exfiltrating documents, keystrokes, and screen captures. However, as the name suggests, one of the interesting features of this malware is a sophisticated two-stage kill chain that exploits legitimate cloud services in different phases of the attack.
Specifically, a cloud storage service, pCloud, is used to store and deliver the second stage payload, and once the second stage payload is installed, CloudMensis leverages more cloud storage services for both receiving commands from its operators and for exfiltrating files, using three different providers: pCloud, Yandex Disk, and Dropbox.
This is further confirmation that, as organizations give their digital trust to reliable online storage services for their daily business, threat actors are constantly looking for new ways to exploit this trust, to launch evasive campaigns that are difficult to detect. Threat actors are drawn to the very same reliability and simplicity to set up their malicious infrastructure that appeals to the organizations they target and so we all find ourselves using the same cloud applications on both sides of the battlefield.
This campaign proves that new cloud storage services are constantly added to the long list of those exploited for malicious purposes, while apps such as Dropbox are a well established weapon in the hands of threat actors. Dropbox is considered by the attackers to be a reliable and flexible service (for both delivering the payload and hosting the command and control infrastructure), and for this reason it has been successfully deployed for campaigns driven by cyber crime and cyber espionage, also in a recent campaign carried out by the infamous Russian-speaking threat actor APT29.
How Netskope mitigates the risk of legitimate cloud services exploited for malicious purposes
Dropbox is one of thousands of services where the Netskope Next Gen SWG can provide granular access control and one of dozens for which instance detection is also available. In similar cases where Dropbox is exploited to host the command and control, it is possible to configure a policy that prevents potentially dangerous activities (such as upload and download) from non-corporate instances. It is also possible to make the scope of the policy broader, blocking these activities for any unneeded cloud storage service on a category basis (including pCloud and Yandex Cloud) that can potentially be exploited for command and control or malware delivery.
Malware delivery from a cloud storage service can also be prevented through Netskope Threat Protection, part of the NG-SWG, which provides an effective defense against modern evasive threats regardless of the nature of the traffic (web or cloud) with a layered approach that offers multiple engines, ranging from antivirus to cloud sandboxing, plus additional detectors based on machine learning to detect Office documents containing malicious macros and portable executables.