• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks

You are here: Home / General Cyber Security News / Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks
January 25, 2022

DazzleSpy Backdoor

A formerly undocumented cyber-espionage malware aimed at Apple’s macOS running procedure leveraged a Safari web browser exploit as component of a watering hole attack targeting politically lively, pro-democracy people in Hong Kong.

Slovak cybersecurity organization ESET attributed the intrusion to an actor with “sturdy technological capabilities,” contacting out the campaign’s overlaps to that of a equivalent electronic offensive disclosed by Google Risk Examination Group (TAG) in November 2021.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper take secure and enxrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized seller: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The attack chain included compromising a reputable internet site belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject destructive inline frames (aka iframes) in between September 30 and November 4, 2021.

Automatic GitHub Backups

In the next section, the tampered code acted as a conduit to load a Mach-O file by leveraging a distant code execution bug in WebKit that was mounted by Apple in February 2021 (CVE-2021-1789). “The exploit utilized to acquire code execution in the browser is really complicated and experienced a lot more than 1,000 lines of code as soon as formatted nicely,” ESET researchers stated.

The good results of the WebKit distant code execution subsequently triggers the execution of the intermediate Mach-O binary that, in flip, exploits a now-patched regional privilege escalation vulnerability in the kernel element (CVE-2021-30869) to operate the future phase malware as a root user.

DazzleSpy Backdoor

Though the infection sequence comprehensive by Google TAG culminated in the installation of an implant called MACMA, the malware delivered to website visitors of the D100 Radio internet site was a new macOS backdoor that ESET has codenamed DazzleSpy.

The malware presents attackers “a substantial established of functionalities to control, and exfiltrate documents from, a compromised laptop,” the scientists stated, in addition to incorporating a selection of other features, such as —

  • Harvesting program data
  • Executing arbitrary shell instructions
  • Dumping iCloud Keychain employing a CVE-2019-8526 exploit if the macOS variation is lower than 10.14.4
  • Beginning or terminating a distant display screen session, and
  • Deleting alone from the equipment

“This marketing campaign has similarities with just one from 2020 exactly where LightSpy iOS malware (described by Trend Micro and Kaspersky) was dispersed the identical way, applying iframe injection on web sites for Hong Kong citizens foremost to a WebKit exploit,” the researchers explained. That reported, it can be not quickly very clear if both the campaigns ended up orchestrated by the identical team.

Found this post fascinating? Abide by THN on Fb, Twitter  and LinkedIn to examine far more exceptional articles we put up.


Some parts of this post are sourced from:
thehackernews.com

Previous Post: «trickbot malware using new techniques to evade web injection attacks TrickBot Malware Using New Techniques to Evade Web Injection Attacks
Next Post: BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices brata android trojan updated with ‘kill switch’ that wipes devices»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Google Uncovers ‘Initial Access Broker’ Working with Conti Ransomware Gang
  • New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers
  • Dev Sabotages Popular NPM Package to Protest Russian Invasion
  • Phishers Using Ukraine Invasion to Solicit Cryptocurrency
  • Hackers spotted using CAPTCHAs to dodge email security scanners
  • FBI Launches Virtual Assets Unit
  • The Total Economic Impact™ of IBM Security MaaS360 with Watson
  • Unified endpoint management solutions 2021-22
  • Misconfigured Firebase Databases Exposing Data in Mobile Apps
  • Six myths of SIEM

Copyright © TheCyberSecurity.News, All Rights Reserved.