~/Library/Containers//Data/Library/.CFUserTextDecoding ~/Library/Containers//Data/Library/windowserver Library/WebServer/share/httpd/manual/WindowServer This includes attempts to bypass or exploit TCC, alongside the creation of specific launch daemons. In the event that your endpoints have yet to be updated, rest assured that Jamf Protect’s behavioral detections will trigger alerts upon detecting various stages of this malware. Jamf Protect has been updated to protect against all known samples of CloudMensis as of July 19, 2022. For example, earlier this year the Gimmick malware used Google Drive as its means of C2 as well. While this is not the first malware on macOS utilizing cloud storage for command and control (C2), it is among the most recent making its rounds in the wild.
The cloud storage providers used by this malware are pCloud, Yandex Disk and Dropbox. It also leverages cloud storage services as its means of sending commands to victim computers. In an attempt to bypass the various security features built-in to macOS, such as escaping the Safari sandbox and bypassing specific Transparency, Consent and Controls (TCC), CloudMensis uses multiple n-day exploits.
0 kommentar(er)
