Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks

A previously undocumented cyber-espionage malware aimed at
Apple’s macOS operating system leveraged a Safari web browser
exploit as part of a watering hole attack targeting politically
active, pro-democracy individuals in Hong Kong.

Slovak cybersecurity firm ESET attributed ^[1]
the intrusion to an actor with “strong technical capabilities,”
calling out the campaign’s overlaps to that of a similar digital
offensive disclosed ^[2]
by Google Threat Analysis Group (TAG) in November 2021.

The attack chain involved compromising a legitimate website
belonging to D100 Radio, a pro-democracy internet radio station in
Hong Kong, to inject malicious inline frames (aka iframes ^[3]) between September 30
and November 4, 2021.

In the next phase, the tampered code acted as a conduit to load
a Mach-O ^[4]
file by leveraging a remote code execution bug in WebKit that was
fixed by Apple in February 2021 (CVE-2021-1789 ^[5]). “The exploit used to
gain code execution in the browser is quite complex and had more
than 1,000 lines of code once formatted nicely,” ESET researchers
said.

The success of the WebKit remote code execution subsequently
triggers the execution of the intermediate Mach-O binary that, in
turn, exploits a now-patched local privilege escalation
vulnerability in the kernel component (CVE-2021-30869 ^[6]) to run the next stage
malware as a root user.

While the infection sequence detailed by Google TAG culminated
in the installation of an implant called MACMA, the malware
delivered to visitors of the D100 Radio site was a new macOS
backdoor that ESET has codenamed DazzleSpy.

The malware provides attackers “a large set of functionalities
to control, and exfiltrate files from, a compromised computer,” the
researchers explained, in addition to incorporating a number of
other features, including —

Harvesting system information
Executing arbitrary shell commands
Dumping iCloud Keychain using a CVE-2019-8526 ^[7]
exploit if the macOS version is lower than 10.14.4
Starting or terminating a remote screen session, and
Deleting itself from the machine

“This campaign has similarities with one from 2020 where
LightSpy ^[8]
iOS malware (described by Trend Micro ^[9]
and Kaspersky ^[10]) was distributed the
same way, using iframe injection on websites for Hong Kong citizens
leading to a WebKit exploit,” the researchers said. That said, it’s
not immediately clear if both the campaigns were orchestrated by
the same group.

References

^{^}
attributed
(www.welivesecurity.com)
^{^}
disclosed
(thehackernews.com)
^{^}
iframes
(developer.mozilla.org)
^{^}
Mach-O
(en.wikipedia.org)
^{^}
CVE-2021-1789
(support.apple.com)
^{^}
CVE-2021-30869
(thehackernews.com)
^{^}
CVE-2019-8526
(nvd.nist.gov)
^{^}
LightSpy
(thehackernews.com)
^{^}
Trend
Micro (www.trendmicro.com)
^{^}
Kaspersky
(securelist.com)