Hackers Infect MacOS With New DazzleSpy Backdoor Using Watering Hole Attacks

Google Threat Analysis Group (TAG) in November 2021 reported that ,” Slovak cybersecurity firm ESET attributed the intrusion to an actor with strong technical capabilities calling out the campaign’s overlaps to that of a similar digital offensive disclosed.

A previously unknown cyber-espionage malware targeting Apple’s macOS operating system used a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy Hong Kong citizens. The malware gives attackers a large set of functionalities to control and exfiltrate files from a compromised computer such as ,

  • Harvesting system information
  • Executing arbitrary shell commands
  • Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
  • Starting or terminating a remote screen session and
  • Deleting itself from the machine.

While Google TAG’s infection sequence resulted in the installation of an implant known as MACMA, the malware delivered to D100 Radio site visitors was a new macOS backdoor known as DazzleSpy. 

Between September 30 and November 4, 2021, the attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, in order to inject malicious inline frames (aka iframes). Separately, a fraudulent website called “fightforhk[.]com” was registered to entice liberation activists.

The tampered code then served as a conduit to load a Mach-O file by exploiting a remote code execution bug in WebKit, which Apple fixed in February 2021. (CVE-2021-1789). “The exploit used to gain code execution in the browser is quite complex, with over 1,000 lines of code once nicely formatted. 

The successful execution of the WebKit remote code execution triggers the execution of the intermediate Mach-O binary, which in turn exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as the root user.

Finally the researchers concluded that “This campaign is similar to one from 2020, when LightSpy iOS malware (described by Trend Micro and Kaspersky) was distributed in the same way, using iframe injection on websites for Hong Kong citizens, leading to a WebKit exploit. However, it is unclear whether both campaigns were orchestrated by the same group.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s