In late 2021, a never before seen macOS backdoor was delivered to pro-democracy individuals in Hong Kong via fake and compromised sites (for example, that of local radio station D100) by exploiting vulnerabilities in Webkit, the browser engine powering Safari, and XNU, the macOS and iOS kernel.
On Tuesday, ESET researchers shared their knowledge about the attacks and the results of the analysis of that final malicious payload: a macOS backdoor with many capabilities, including collecting and exfiltrating system information, executing files, starting a remote screen session, dumping the contents of the victims’ iCloud Keychain, and more.
The watering hole attacks and the macOS backdoor
The first report about the watering hole attacks leading to exploits for the Safari web browser running on macOS was published by Google last November. ESET researchers were investigating the attacks at the same time as Google and have uncovered additional details about both the targets and malware used to compromise the victims. ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.
“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code. It’s interesting to note that some code suggests the vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer,” says Marc-Étienne Léveillé, who investigated the watering-hole attack.
This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit.
The payload – DazzleSpy – is capable of a wide variety of cyberespionage actions. It can collect information about the compromised computer; search for specified files; scan files in Desktop, Downloads, and Documents folders; execute the supplied shell commands; start or end a remote screen session; and write a supplied file to disk.
More technical information about the exploits and the DazzleSpy is provided in this post.
Given the complexity of the exploits used in this campaign, ESET Research can conclude that the group behind this operation has strong technical capabilities. It’s also interesting that end-to-end encryption is enforced in DazzleSpy meaning it won’t communicate with its command and control (C&C) server if anyone tries to eavesdrop on the unencrypted transmission.
Among other interesting findings about this threat actor is that once the malware obtains the current date and time on a compromised computer, it converts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the C&C server. In addition, the DazzleSpy malware contains a number of internal messages in Chinese.