A formerly undocumented cyber-espionage malware aimed at Apple’s macOS running procedure leveraged a Safari web browser exploit as component of a watering hole attack targeting politically lively, pro-democracy people in Hong Kong.
Slovak cybersecurity organization ESET attributed the intrusion to an actor with “sturdy technological capabilities,” contacting out the campaign’s overlaps to that of a equivalent electronic offensive disclosed by Google Risk Examination Group (TAG) in November 2021.
The attack chain included compromising a reputable internet site belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject destructive inline frames (aka iframes) in between September 30 and November 4, 2021.
In the next section, the tampered code acted as a conduit to load a Mach-O file by leveraging a distant code execution bug in WebKit that was mounted by Apple in February 2021 (CVE-2021-1789). “The exploit utilized to acquire code execution in the browser is really complicated and experienced a lot more than 1,000 lines of code as soon as formatted nicely,” ESET researchers stated.
The good results of the WebKit distant code execution subsequently triggers the execution of the intermediate Mach-O binary that, in flip, exploits a now-patched regional privilege escalation vulnerability in the kernel element (CVE-2021-30869) to operate the future phase malware as a root user.
Though the infection sequence comprehensive by Google TAG culminated in the installation of an implant called MACMA, the malware delivered to website visitors of the D100 Radio internet site was a new macOS backdoor that ESET has codenamed DazzleSpy.
The malware presents attackers “a substantial established of functionalities to control, and exfiltrate documents from, a compromised laptop,” the scientists stated, in addition to incorporating a selection of other features, such as —
- Harvesting program data
- Executing arbitrary shell instructions
- Dumping iCloud Keychain employing a CVE-2019-8526 exploit if the macOS variation is lower than 10.14.4
- Beginning or terminating a distant display screen session, and
- Deleting alone from the equipment
“This marketing campaign has similarities with just one from 2020 exactly where LightSpy iOS malware (described by Trend Micro and Kaspersky) was dispersed the identical way, applying iframe injection on web sites for Hong Kong citizens foremost to a WebKit exploit,” the researchers explained. That reported, it can be not quickly very clear if both the campaigns ended up orchestrated by the identical team.
Found this post fascinating? Abide by THN on Fb, Twitter and LinkedIn to examine far more exceptional articles we put up.
Some parts of this post are sourced from: