Trend Micro has also published research (.PDF) on the threat actor's mobile activities. The cybersecurity firm temporarily named the advanced persistent threat (APT) group believed to be responsible as TwoSail Junk. Kaspersky said in 2020 that the malware appeared on websites aimed at residents of Hong Kong. The cybersecurity researchers also say that the watering hole attack used has similarities with the deployment of the LightSpy implant.
"The technique protects the malware's communications from potential eavesdropping by refusing to send data if end-to-end encryption is not possible." "In practice, the same self-signed certificate is used for both the CA and the C&C server," the researchers say.
Once it has connected to a C2, secure communication appears to be a high priority. If the macOS version is below 10.14.4, keychain information is stolen.
The new DazzleSpy macOS malware has a range of capabilities, including collecting macOS data such as hardware UUIDs and serial numbers, extracting Wi-FI SSIDs, downloading user files on the infected machine enumerating files in Desktop, Downloads, and Documents folders, launching remote sessions, and executing shell commands.ĮSET says that the malware will also see if it is possible to take advantage of CVE-2019-8526, a critical vulnerability fixed in macOS Mojave 10.14.4. In ESET's sample, the payload differs from TAG's findings.
The next step requires a Mach-O executable to be loaded into memory and to achieve code execution through a local privilege escalation weakness, allowing it to run as root and execute the next payload. It appears the exploit is used to obtain memory read and write access, with object address leaks and the ability to create fake JavaScript objects being the overall goal.
(While technical details are scant, the researchers confirmed that Apple's patch now resolves CVE-2021-30869.) JavaScript containing exploit code, mac.js, is deployed to trigger the WebKit engine flaw. The attack chain begins by running a script that checks what version of macOS is installed. "It seems that they were the primary target of this threat." "Both distribution methods have something in common: they attract visitors from Hong Kong with pro-democracy sympathies," ESET says. In addition, fake 'liberate Hong Kong' websites also delivered the malware.
The legitimate pro-democracy online radio station D100 was compromised to serve the payload via an iframe between September 30 and November 4, 2021.
"Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Google TAG said.ĮSET has now provided a breakdown of additional attack vectors used and the exploit itself. Now tracked as CVE-2021-30869, Apple has now patched the type confusion zero-day flaw. This attack utilized an XNU privilege escalation vulnerability in macOS Catalina, leading to the execution of the backdoor malware. On November 11, 2021, TAG said watering hole attacks had been spotted on a media outlet and pro-democracy political website targeting Hong Kong residents. The website was used to facilitate a watering hole attack and to serve a Safari browser exploit to visitors, leading to the deployment and execution of spyware on victim machines.ĭubbed DazzleSpy by ESET researchers, the malware is a backdoor for conducting surveillance on an infected Mac.ĮSET's investigation follows past research conducted by Google's Threat Analysis Group (TAG) security team.