New DazzleSpy malware infects macOS devices through hacked websites

New DazzleSpy malware infects macOS devices through hacked websites

Protesters in Hong Kong were tricked into visiting a compromised pro-democracy radio station website that delivered DazzleSpy malware through a Safari exploit.

The IT security researchers at ESET have reported a new macOS malware strain used in targeted attacks against the visitors of a fake pro-democracy radio station website (fightforhkcom) in Hong Kong. The cyber-espionage malware is dubbed DazzleSply, and it targets macOS devices in watering-hole attacks.

It is worth noting that the malicious website was originally identified by Félix Aimé, an IT security researcher. Félix noted that the website was created from the scratch with the sole purpose of spreading malware.

New DazzleSpy malware infects macOS devices through hacked websites

According to researchers, DazzleSpy is basically a backdoor that helps carry out surveillance on a compromised Mac device. The malware is delivered through a Safari browser exploit and used against pro-democracy and politically active people residing in Hong Kong.

Reportedly, a previously identified zero-day flaw was exploited to conduct watering-hole attacks and install a backdoor on users’ iOS/macOS devices who visited pro-democracy websites in Hong Kong.

According to ESET, in this case, the website was used to encourage a watering hole attack and serve a Safari browser exploit to visitors, which leads to the deployment and execution of DazzleSpy on infected machines.

New DazzleSpy malware infects macOS devices through hacked websites
Screenshot of the compromised and fake pro-democracy website used in the attack (Image: ESET)

Campaign using a WebKit Exploit

As mentioned above, in this campaign, attackers are exploiting a WebKit exploit to infect Mac users. The attack chain commences after a script is run to check the macOS version installed on the device. JavaScript embedded with exploit code, namely mac.js, is then deployed for triggering the WebKit engine flaw.

Researchers believe that the exploit is used primarily to gain memory read and write access, object address leaks, and create fake JavaScript objects. The attack chain also involves acquiring a Mach-O executable that’s loaded into memory to achieve code execution via a local privilege escalation (LPE) vulnerability that allows it to run as root and execute the subsequent payload.

According to ESET’s report published Tuesday, DazzleSpy is a full-featured backdoor, the skillful operators of which are yet unidentified. It is a novel piece of malware that accepts a long list of commands. For instance, DazzleSpy can search for particular files to exfiltrate and enumerate them in the Desktop, Documents, and Downloads folders.

Furthermore, it can execute shell commands, steal/move/rename files, enumerate running processes, monitor/start/end remote sessions, log mouse events, and perform certain tasks required to exploit the CVE-2019-8526 vulnerability, a critical flaw fixed by Apple on macOS Mojave 10.14.4.

That’s not all. DazzleSpy tries to communicate with its C2 server under high security. But if someone attempts to spy by inserting a TLS-inspection key between the infected machine and the C2 server, the malware enforces end-to-end encryption and refrains from contacting its C2 server.

It also observers whether it can take advantage of CVE-2019-8526, and if the device version is below 10.14.4, it steals keychain information.

Previous Coverage

ESET’s investigation follows previous research conducted by Google’s Threat Analysis Group (TAG) security team in November 2021. On November 11, TAG reported that they had discovered watering hole attacks on a media outlet, mainly a pro-democracy political website.

The key targets are politically active Hong Kong residents. TAG also noted that in late 2021, a new macOS backdoor was deployed on devices by exploiting XNU, the iOS and macOS kernel, the browser engine that powers Safari, and Webkit vulnerabilities. The flaw was later tracked as CVE-2021-30869, a type-confusion zero-day flaw that Apple has now patched.

Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code.

Google’s Threat Analysis Group (TAG)
Related Posts