Security News > 2022 > January > MacOS Malware ‘DazzleSpy’ Used in Watering-Hole Attacks
A new family of cyber-espionage malware targeting macOS and delivered via a Safari exploit was used against politically active, pro-democracy residents of Hong Kong, in August watering-hole attacks initially discovered by Google TAG, researchers said on Tuesday.
The watering-hole attacks - which TAG reported to Apple that same month - were serving an in-the-wild malware that exploited what was then a zero-day flaw to install a backdoor on the iOS and macOS devices of users who visited Hong Kong-based media and pro-democracy sites.
In a report published Tuesday, ESET researchers, who'd been investigating the campaign prior to TAG's November post, revealed new details about the backdoor, the campaign's targets, the malware employed - namely, a WebKit exploit used to compromise Mac users - and how victims fell into the trap to begin with.
The list of commands it accepts is long: The malware can search for specific files to exfiltrate, enumerate files in the Desktop, Downloads, and Documents folders; execute shell commands; enumerate running processes; steal, rename or move files; log mouse events; observe, start or end remote sessions; and perform the tasks needed to exploit the CVE-2019-8526 vulnerability.
Given the complexity of the campaign's exploits, ESET says that the operators have "Strong technical capabilities." The attackers haven't left a lot of tracks: ESET researchers said they haven't yet been able to find prior analysis about a local privilege-escalation vulnerability used by the exploit, for example, nor anything about the specific WebKit vulnerability used to gain code execution in Safari.
ESET did note that the campaign - with its targeting of politically active, pro-democracy Hong Kong individuals - resembles one from 2020 where LightSpy iOS malware was distributed in the same way: i.e., by using iframe injection on websites for Hong Kong citizens, leading to a WebKit exploit.
News URL
https://threatpost.com/macos-malware-dazzlespy-watering-hole-attacks/177943/
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- FBI spots HiatusRAT malware attacks targeting web cameras, DVRs (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-12-18 | CVE-2019-8526 | Use After Free vulnerability in Apple mac OS X A use after free issue was addressed with improved memory management. | 7.8 |