Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Gap Assaults
A beforehand undocumented cyber-espionage malware geared toward Apple’s macOS working system leveraged a Safari internet browser exploit as a part of a watering gap assault focusing on politically lively, pro-democracy people in Hong Kong.
Slovak cybersecurity agency ESET attributed the intrusion to an actor with “sturdy technical capabilities,” calling out the marketing campaign’s overlaps to that of an identical digital offensive disclosed by Google Risk Evaluation Group (TAG) in November 2021.
The assault chain concerned compromising a respectable web site belonging to D100 Radio, a pro-democracy web radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021.
Within the subsequent section, the tampered code acted as a conduit to load a Mach-O file by leveraging a distant code execution bug in WebKit that was fastened by Apple in February 2021 (CVE-2021-1789). “The exploit used to achieve code execution within the browser is kind of complicated and had greater than 1,000 strains of code as soon as formatted properly,” ESET researchers stated.
The success of the WebKit distant code execution subsequently triggers the execution of the intermediate Mach-O binary that, in flip, exploits a now-patched native privilege escalation vulnerability within the kernel part (CVE-2021-30869) to run the following stage malware as a root consumer.
Whereas the an infection sequence detailed by Google TAG culminated within the set up of an implant known as MACMA, the malware delivered to guests of the D100 Radio website was a brand new macOS backdoor that ESET has codenamed DazzleSpy.
The malware supplies attackers “a big set of functionalities to manage, and exfiltrate recordsdata from, a compromised pc,” the researchers defined, along with incorporating quite a few different options, together with —
- Harvesting system data
- Executing arbitrary shell instructions
- Dumping iCloud Keychain utilizing a CVE-2019-8526 exploit if the macOS model is decrease than 10.14.4
- Beginning or terminating a distant display screen session, and
- Deleting itself from the machine
“This marketing campaign is similar with one from 2020 the place LightSpy iOS malware (described by Pattern Micro and Kaspersky) was distributed the identical means, utilizing iframe injection on web sites for Hong Kong residents resulting in a WebKit exploit,” the researchers stated. That stated, it isn’t instantly clear if each the campaigns had been orchestrated by the identical group.