An earlier unrecorded cyber-espionage malware directed at Apple’s macOS operating system used a Safari web browser vulnerability as part of a watering hole attack targeting politically engaged, pro-democracy persons in Hong Kong. According to ESET, the infiltration was linked to an entity with “strong technical capabilities,” which noted similarities between the effort and a previous digital onslaught revealed by Google Threat Analysis Group (TAG) in November 2021.
Between September 30 and November 4, 2021, the attack chain entailed compromising the original website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to insert malicious inline frames (aka iframes). The altered code was then used as a conduit to load a Mach-O file using a remote code execution problem in WebKit that Apple resolved in February 2021 (CVE-2021-1789). “The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers stated.
Following the success of the WebKit remote code execution, the intermediate Mach-O binary is executed, which then leverages a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to launch the next stage malware as the root user. According to ESET, while Google TAG’s infection process resulted in the installation of an implant known as MACMA, the malware transmitted to D100 Radio site visitors was a new macOS backdoor known as DazzleSpy.
The researchers explained that the malware offers attackers “a large set of functionalities to control, and exfiltrate files from, a compromised computer,” as well as incorporate many additional features, such as —
- Harvesting system information
- Executing arbitrary shell commands
- Dumping iCloud Keychain via CVE-2019-8526 exploit if the macOS version is below 10.14.4
- Starting or terminating a remote screen session, and
- Deleting itself from the machine
The researchers said that this effort resembles one from 2020, when the LightSpy iOS malware (reported by Trend Micro and Kaspersky) was disseminated in the same method via iframe injection on Hong Kong-based websites, leading to a WebKit vulnerability. However, it’s unclear whether the same group conducted the two campaigns.