Towards the end of 2021, macOS backdoors were never seen before through fake and compromised sites (for example, the local radio station D100) to pro-democracy people in Hong Kong, exploiting the weaknesses of WebKit, Safari’s browser engine and XNU. . , macOS and iOS kernels.
On Tuesday, ESET researchers shared their knowledge of the attack and the results of the analysis of the final malicious payload: a MacOS backdoor with many capabilities, including collecting and retrieving system data, running files, starting a remote screen session, and dumping its contents. Hunting iCloud Keychain and more.
Water hole attack and macOS backdoor
The first report was published by Google last November about the water hole attack that led to the exploitation of the Safari web browser running on MacOS. ESET researchers were investigating the attacks at the same time as Google, and uncovered additional details about both targets and malware used to compromise victims. ESET confirms that Safari vulnerabilities in patch attacks identified by the Google team are fixed.
“The exploits used to gain code execution in browsers are quite complex and contain more than 1,000 lines of code. It’s interesting to note that some of the code suggests that the vulnerability could be exploited in iOS, even in the iPhone XS and newer devices, “said Mark-Etienne Levili, who investigated the watering-hole attack.
The campaign coincides with a 2020 one where LightSpy iOS malware was similarly distributed, leading to the exploitation of a webkit using iframe injection into websites for citizens of Hong Kong.
Payload – DazzleSpy – capable of various types of cyber espionage. It can collect information about compromised computers; Search for specific files; Scan files in Desktop, Download and Documents folders; Execute supplied shell commands; Start or end a remote screen session; And write a supplied file to disk.
More technical information about exploitation and DazzleSpy has been provided This post.
Attack attribution
Given the complexity of the exploits used in this campaign, ESET Research may conclude that the group behind this operation has strong technical capabilities. It is also interesting to note that DazzleSpy uses end-to-end encryption, which means that it will not communicate with its Command and Control (C&C) server if anyone tries to hide the unencrypted transmission.
Other interesting inquiries about this threatening actor include that once the malware finds the current date and time on a compromised computer, it converts the received date into the Asia / Shanghai time zone (aka China Standard Time) before being sent to the C&C server. . Also, DazzleSpy malware contains several internal messages in Chinese.
