On Thursday, Google researchers revealed that they discovered a watering hole attack in late August. It targeted Hong Kong websites belonging to a media outlet and significant pro-democracy labor and political organization using a now-patched zero-day vulnerability in the macOS. The objective was to install a never-before-seen backdoor on infected devices.
According to Google Threat Analysis Group (TAG) analyst Erye Hernandez, this threat actor is believed to be a well-resourced group, possibly state-supported, with access to their software engineering team based on the payload code’s quality.
The CVE-2021-30869 (CVSS score of 7.8) security flaw affects the XNU kernel component and affects a type confusion vulnerability that might allow a malicious application to run arbitrary code with the highest privileges. On September 23, Apple responded to the problem.
TAG discovered an exploit chain that linked CVE-2021-1789 to the previously disclosed CVE-2021-30869 to get out of the Safari sandbox, escalate privileges, then download and run a second-stage payload from a remote server called “MACMA.”
According to Google TAG, this previously unknown malware is a comprehensive implant with the ability to record audio and keystrokes, fingerprint the device, grab the screen, download and upload arbitrary files, and execute malicious terminal commands. Anti-malware engines presently do not recognize the backdoor files as harmful, according to samples supplied to VirusTotal.
A 2019 variation of MACMA, according to security researcher Patrick Wardle, masquerades as Adobe Flash Player, with the malware presenting an error notice in Chinese after installation, signifying that “the virus is oriented for Chinese users,” and “this version of the malware is meant to be distributed using social engineering tactics.” The 2021 edition, on the other hand, is intended for remote use.
The websites, which featured malicious code to serve vulnerabilities from an attacker-controlled server, were also used to target iOS users through a separate exploit chain sent to the victims’ browsers. According to Google TAG, it could only retrieve a portion of the infection flow in which a type confusion flaw (CVE-2019-8506) was exploited to achieve code execution in Safari. Here you can find more indications of compromise (IoCs) related to the campaign.