Cybersecurity researchers detected a previously unknown macOS malware, codenamed DazzleSpy by ESET and MACMA by Google. The attack itself is based on a WebKit exploit used to compromise Mac users. The payload appears to be a new malware family, specifically targeting macOS.
The discovery is based on a Google Threat Analysis Group finding related to a watering hole campaign that used macOS exploits. ESET researchers decided to continue investigating the threat to uncover further details about the malware and its targets.
Shortly said, a watering hole attack is a malicious attempt in which threat actors aim to compromise a specific group of end users by infecting websites that members of the targeted organization visit. In the investigated case, hackers used a fake website targeting Hong Kong activists and the online, Hong Kong, pro-democracy radio station D100. Obviously, the common thing is that both distribution techniques are aimed at visitors from Hong Kong with pro-democracy political tendencies.
A Look into DazzleSpy’s Malware Mechanisms
One of the phases of the attack included tampered code acting as a conduit to load a Mach-O file. This was done by using a remote code execution (RCE) bug in WebKit Apple fixed in February last year, known as CVE-2021-1789. The complex exploit was leveraged to achieve code execution within the browser, done with more than 1,000 lines of code.
This exploit leads to the next part of the attack, which includes using a now-fixed local privilege escalation issue in the kernel component, known as CVE-2021-30869. This vulnerability is needed to run the next stage malware as a root.
Capabilities of the MACMA/DazzleSpy macOS Malware
The DazzleSpy malware has a wide set of malicious functionalities to control and exfiltrate files from compromised systems, including:
- Stealing system information;
- Executing arbitrary shell commands;
- Dropping iCloud Keychain via a CVE-2019-8526 exploit, which is used if the macOS version is lower than 10.14.4;
- Initiating or terminating a remote screen session;
- Deleting itself from the system.
In conclusion, the DazzleSpy attack is reminiscent of a 2020 attack where LightSpy iOS malware showed similar distribution techniques against Hong Kong citizens. It’s still unclear whether both campaigns were carried out by the same threat actor.