Lucene search

K
thnThe Hacker NewsTHN:3F527FB34758F461CB88126624C0A51D
HistoryJan 25, 2022 - 12:32 p.m.

Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks

2022-01-2512:32:00
The Hacker News
thehackernews.com
105

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

DazzleSpy Backdoor

A previously undocumented cyber-espionage malware aimed at Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong.

Slovak cybersecurity firm ESET attributed the intrusion to an actor with β€œstrong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021.

The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021. Separately, a fraudulent website called β€œfightforhk[.]com” was also registered for the purpose of luring liberation activists.

In the next phase, the tampered code acted as a conduit to load a Mach-O file by leveraging a remote code execution bug in WebKit that was fixed by Apple in February 2021 (CVE-2021-1789). β€œThe exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers said.

The success of the WebKit remote code execution subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as a root user.

DazzleSpy Backdoor

While the infection sequence detailed by Google TAG culminated in the installation of an implant called MACMA, the malware delivered to visitors of the D100 Radio site was a new macOS backdoor that ESET has codenamed DazzleSpy.

The malware provides attackers β€œa large set of functionalities to control, and exfiltrate files from, a compromised computer,” the researchers explained, in addition to incorporating a number of other features, including β€”

  • Harvesting system information
  • Executing arbitrary shell commands
  • Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
  • Starting or terminating a remote screen session, and
  • Deleting itself from the machine

Among other interesting findings about the attacks is that once the malware obtains the current date and time on a compromised computer, it converts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the command-and-control server.

β€œThis campaign has similarities with one from 2020 where LightSpy iOS malware (described by Trend Micro and Kaspersky) was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit,” the researchers said. That said, it’s not immediately clear if both the campaigns were orchestrated by the same group.

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C