Posted on Leave a comment

Hong Kong Users Targeted With A Mac OS Vulnerability.

According to Google Threat Analysis Outfit (TAG) analyst Erye Hernandez, “based on our results, we assess this threat actor to be a well-resourced group, presumably state supported, with access to their own software engineering team based on the quality of the payload code.”

The CVE-2021-30869 (CVSS score: 7.8) security flaw affects the XNU kernel component and affects a type confusion vulnerability that might allow a malicious application to execute arbitrary code with the highest privileges.

Apple released a standalone update for macOS Catalina devices on September 23 — a gap of 234 days between the two patches — highlighting how inconsistencies in resolving vulnerabilities across different versions of the operating system can be exploited by threat actors to their advantage.

This image has an empty alt attribute; its file name is AVvXsEgBc2wi_nptuLq8mX8yzo2Yh8_UT1zEKH-mYmxjh6zs3H1iAVdDEa8DPQxpQtr3HnMhz6g06KTbCn-bhEDXfCI149kv5lbL3_jfCQpGeXvIr26AwoU0Y_2Pilt4iv2Xy-aerSXXjPxPGured_8v-5yMlucyY7mgDza_tguUOJWJwK3xRXjRl3VnP6Ho=s728-e1000

TAG observed an exploit chain that used CVE-2021-1789, a remote code execution bug in WebKit that was fixed in February 2021  and the aforementioned CVE-2021-30869 to break out of the Safari sandbox, elevate privileges, download and execute a second stage payload dubbed “MACMA” from a remote server to break out of the Safari sandbox, elevate privilegesand  and execute a second stage payload dubbed .

According to Google TAG, it was only able to retrieve a portion of the infection flow in which a type misunderstanding problem (CVE-2019-8506) was exploited to achieve code execution in Safari.

The websites, which featured malicious code to serve vulnerabilities from an attacker-controlled server, were also used to target iOS users, albeit through a different exploit chain delivered to the victims’ browser.

Security researcher Patrick Wardle, masquerades as Adobe Flash Player, with the binary displaying an error message in Chinese after installation reported that “the malware is geared towards Chinese users and that this version of the malware is designed to be deployed through socially engineering methods.” The 2021 edition, on the other hand, is intended for remote use.

Indicators Of Compromise:

Delivery URLs

Javascript

  • cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
  • bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)
  • 9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8

Sandbox escape / LPE

  • 8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f
  • df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144

Backdoor

  • cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
  • f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)

C2

  • 123.1.170.152
  • 207.148.102.208

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply