MacOS Malware ‘DazzleSpy’ Used in Watering-Hole Attacks

A pro-democracy Hong Kong site was used to launch watering-hole attacks that planted a powerful macOS backdoor that researchers dubbed DazzleSpy.

A new family of cyber-espionage malware targeting macOS and delivered via a Safari exploit was used against politically active, pro-democracy residents of Hong Kong, in August watering-hole attacks initially discovered by Google TAG, researchers said on Tuesday.

The watering-hole attacks – which TAG reported to Apple that same month – were serving an in-the-wild malware that exploited what was then a zero-day flaw to install a backdoor on the iOS and macOS devices of users who visited Hong Kong-based media and pro-democracy sites.

As TAG reported in November, a zero-day XNU privilege-escalation vulnerability (CVE-2021-30869) that was then unpatched in macOS Catalina led to the installation of a previously unreported backdoor on victims’ macOS and iOS systems.

Infosec Insiders Newsletter

In a report published Tuesday, ESET researchers, who’d been investigating the campaign prior to TAG’s November post, revealed new details about the backdoor, the campaign’s targets, the malware employed – namely, a WebKit exploit used to compromise Mac users – and how victims fell into the trap to begin with.

The novel piece of the puzzle that ESET described in Tuesday’s post is DazzleSpy: a new, full-featured backdoor put out by unknown – but technically adroit – operators, they said.

The list of commands it accepts is long: The malware can search for specific files to exfiltrate, enumerate files in the Desktop, Downloads, and Documents folders; execute shell commands; enumerate running processes; steal, rename or move files; log mouse events; observe, start or end remote sessions; and perform the tasks needed to exploit the CVE-2019-8526 vulnerability.

Researchers also found it notable that DazzleSpy enforces end-to-end encryption and that the backdoor abstains from communicating with its command-and-control (C2) server if anyone tries to eavesdrop, by inserting a TLS-inspection proxy between the compromised system and the C2 server.

The Swamps That Sucked in Hong Kong Activists

The first stage of the attack chain was to compromise two sites so as to propagate the exploits, ESET explained:

  1. A fake website targeting Hong Kong activists, as reported by Felix Aimé from SEKOIA.IO, with a domain – fightforhk[.]com – only registered on Oct. 19, and since taken down. It was rigged with a malicious iframe, as shown below.
  2. The legitimate but compromised radio-station site of the online, Hong Kong, pro-democracy radio station D100, which was discovered serving up the same exploit by Google TAG in August. Similar to fightforhk[.com], the radio station’s compromised site (shown below) similarly injected an iframe into pages served by bc.d100[.]net – the section of the website used by subscribers – between Sept. 30 and Nov. 4.

The fightforhk[.]com watering-hole propagating domain, as archived by the Wayback Machine on Nov. 13 and shared by ESET.

Excerpt of https://bc.d100[.]net/Product/Subscription on Nov. 4, 2021. Source: ESET.

Next, the tampered-with code loads a Mach-O executable file in memory by leveraging a remote code execution (RCE) bug in WebKit that Apple fixed in February 2021 (CVE-2021-1789).

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers noted.

From Privilege Escalation to Root

After the exploit gains code execution, it loads Mach-O into memory and executes it, exploiting a previously described local privilege-escalation vulnerability tracked as CVE-2021-30869 to run the next stage as root. A call then goes out to a function called “adjust_port_type,” which changes the internal type of a Mach port – a change that “shouldn’t be possible unless a vulnerability exists,” ESET researchers noted.

A summary of what Mach-O does:

  1. Downloads a file from the URL supplied as an argument
  2. Decrypts this file using AES-128-EBC and TEA with a custom delta
  3. Writes the resulting file to $TMPDIR/airportpaird and makes it executable
  4. Uses the privilege escalation exploit to remove the from the file to avoid asking the user to confirm the launch of the unsigned executable
  5. Uses the same privilege escalation to launch the next stage with root privileges

In its November writeup, Google TAG described the infection chain as next downloading a payload called MACMA that fingerprinted victims’ devices, grabbed screen captures, uploaded and downloaded files, executed terminal commands, and committed spying via audio recording and keylogging.

But visitors to the D100 Radio site were inflicted with a different macOS backdoor that ESET codenamed DazzleSpy: A powerful tool capable of stealing a dizzying array of victims’ data and carrying out complex exploits.

Who’s Behind the DazzleSpy Backdoor?

Given the complexity of the campaign’s exploits, ESET says that the operators have “strong technical capabilities.” The attackers haven’t left a lot of tracks: ESET researchers said they haven’t yet been able to find prior analysis about a local privilege-escalation (LPE) vulnerability used by the exploit, for example, nor anything about the specific WebKit vulnerability used to gain code execution in Safari.

ESET did note that the campaign – with its targeting of politically active, pro-democracy Hong Kong individuals – resembles one from 2020 where LightSpy iOS malware (described by TrendMicro and Kaspersky) was distributed in the same way: i.e., by using iframe injection on websites for Hong Kong citizens, leading to a WebKit exploit.

The malware used in the 2020 watering-hole attacks, the work of a then-new advanced persistent threat (APT) called TwoSail Junk, was similarly designed for use in a mass-targeted attack aimed at deep surveillance and for taking total control of iOS devices.

ESET did find a few clues about DazzleSpy’s operators: They noted that the malware contains a number of internal messages in Chinese, for one. As well, “once the malware obtains the current date and time on a compromised computer … it converts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the C2 server,” they added.

The operators also aren’t all that concerned about operational security, apparently: “They have left the username ‘wangping’ in paths embedded in the binary,” ESET noted, including in paths that reveal this username and internal module names.

Whether the 2020 Hong Kong attacks and those detected in August are coming from the same APT remains to be seen, ESET researchers said. They’re on it, they said, promising to “continue to track and report on similar malicious activities.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles