Hackers Use a Zero-Day Vulnerability In macOS To Target Hong Kong Users with A New Implant

Hackers Use a Zero-Day Vulnerability In macOS To Target Hong Kong Users With A New Implant

On Thursday, Google researchers revealed that they discovered a watering hole attack in late August. It targeted Hong Kong websites belonging to a media outlet and significant pro-democracy labor and political organization using a now-patched zero-day vulnerability in the macOS. The objective was to install a never-before-seen backdoor on infected devices.

According to Google Threat Analysis Group (TAG) analyst Erye Hernandez, this threat actor is believed to be a well-resourced group, possibly state-supported, with access to their software engineering team based on the payload code’s quality.

The CVE-2021-30869 (CVSS score of 7.8) security flaw affects the XNU kernel component and affects a type confusion vulnerability that might allow a malicious application to run arbitrary code with the highest privileges. On September 23, Apple responded to the problem.

TAG discovered an exploit chain that linked CVE-2021-1789 to the previously disclosed CVE-2021-30869 to get out of the Safari sandbox, escalate privileges, then download and run a second-stage payload from a remote server called “MACMA.”

According to Google TAG, this previously unknown malware is a comprehensive implant with the ability to record audio and keystrokes, fingerprint the device, grab the screen, download and upload arbitrary files, and execute malicious terminal commands. Anti-malware engines presently do not recognize the backdoor files as harmful, according to samples supplied to VirusTotal.

A 2019 variation of MACMA, according to security researcher Patrick Wardle, masquerades as Adobe Flash Player, with the malware presenting an error notice in Chinese after installation, signifying that “the virus is oriented for Chinese users,” and “this version of the malware is meant to be distributed using social engineering tactics.” The 2021 edition, on the other hand, is intended for remote use.

The websites, which featured malicious code to serve vulnerabilities from an attacker-controlled server, were also used to target iOS users through a separate exploit chain sent to the victims’ browsers. According to Google TAG, it could only retrieve a portion of the infection flow in which a type confusion flaw (CVE-2019-8506) was exploited to achieve code execution in Safari. Here you can find more indications of compromise (IoCs) related to the campaign.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.