Researchers from ESET have shed light on a new macOS backdoor, discovered in April 2022, dubbed CloudMensis. At first glance this is just the latest example of spyware targeting the Apple operating system with the intent of exfiltrating documents, keystrokes, and screen captures. However, as the name suggests, one of the interesting features of this malware is a sophisticated two-stage kill chain that exploits legitimate cloud services in different phases of the attack.
Specifically, a cloud storage service, pCloud, is used to store and deliver the second stage payload, and once the second stage payload is installed, CloudMensis leverages more cloud storage services for both receiving commands from its operators and for exfiltrating files, using three different providers: pCloud, Yandex Disk, and Dropbox.
This is further confirmation that, as organizations give their digital trust to reliable online storage services for their daily business, threat actors are constantly looking for new ways to exploit this trust, to launch evasive campaigns that are difficult to detect. Threat actors are drawn to the very same reliability and simplicity to set up their malicious infrastructure that appeals to the organizations they target and so we all find ourselves using the same cloud applications on both sides of the battlefield.
This campaign proves that new cloud storage services are constantly added to the long list of those exploited