A previously undocumented cyber-espionage malware aimed at Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong.
Slovak cybersecurity firm ESET attributed the intrusion to an actor with “strong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021.
The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021. Separately, a fraudulent website called “fightforhk[.]com” was also registered for the purpose of luring liberation activists.
In the next phase, the tampered code acted as a conduit to load a Mach-O file by leveraging a remote code execution bug in WebKit that was fixed by Apple in February 2021 (CVE-2021-1789). “The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers said.
The success of the WebKit remote code execution subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as a root user.
While the infection sequence detailed by Google TAG culminated in the installation of an implant called MACMA, the malware delivered to visitors of the D100 Radio site was a new macOS backdoor that ESET has codenamed DazzleSpy.
The malware provides attackers “a large set of functionalities to control, and exfiltrate files from, a compromised computer,” the researchers explained, in addition to incorporating a number of other features, including —
- Harvesting system information
- Executing arbitrary shell commands
- Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
- Starting or terminating a remote screen session, and
- Deleting itself from the machine
Among other interesting findings about the attacks is that once the malware obtains the current date and time on a compromised computer, it converts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the command-and-control server.
“This campaign has similarities with one from 2020 where LightSpy iOS malware (described by Trend Micro and Kaspersky) was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit,” the researchers said. That said, it’s not immediately clear if both the campaigns were orchestrated by the same group.