Watering-Hole Attacks Infect macOS with New DazzleSpy Backdoor

Watering-Hole Attacks Infect macOS with New DazzleSpy Backdoor

Short News:-

A previously undocumented cyber-espionage malware leveraged a Safari web browser exploit as part of a watering hole attack. The malware delivered to visitors of the D100 Radio site was a new macOS backdoor codenamed DazzleSpy. ESET attributes the intrusion to an actor with "strong technical capabilities".

Detailed News:-

Apple's macOS operating system was the target of a previously unreported cyber-espionage malware that used a Safari web browser vulnerability to target pro-democracy activists in Hong Kong.

Hackers with "high technical capabilities" were responsible for the intrusion, which ESET blamed on a "similar digital offensive" revealed by Google Threat Analysis Group (TAG) in November 2021.

At some point between September 30 and November 4 of 2021, hackers gained access to D100 Radio, a Hong Kong-based pro-democracy internet radio station, and used it to inject malicious inline frames (also known as iframes).

Later, using a weakness in WebKit that Apple addressed in February 2021, the altered code functioned as a conduit for loading a Mach-O file (CVE-2021-1789). When formatted properly, more than 1,000 lines of code were used to acquire code execution in the browser," ESET researchers added.

An intermediary Mach-O program that exploits a now-patched local privilege elevation vulnerability in the kernel component (CVE-2021-30869) is then executed, which then launches a later stage of malware that is launched as a root user.

A new macOS backdoor dubbed DazzleSpy was given to visitors of the D100 Radio site instead of the implant named MACMA that Google TAG described as the culmination of the infection sequence.

Besides adding a number of other characteristics, the researchers said the malware gives attackers "a vast set of functionalities to control, and exfiltrate files from, a hacked device."

obtaining data on the system

the ability to run arbitrary shell scripts

If the macOS version is lower than 10.14.4, a CVE-2019-8526 vulnerability can be used to dump the iCloud Keychain.

A remote screen session can be started or ended via these two methods:

Self-destructing from the computer

An iframe injection on a Hong Kong-targeted website was used to transmit LightSpy iOS malware (reported by Trend Micro and Kaspersky) in the same way, leading to a WebKit exploit, the researchers explained. If the two campaigns were orchestrated by the same people, it's not obvious.