Security News > 2022 > January > MacOS Malware ‘DazzleSpy’ Used in Watering-Hole Attacks

MacOS Malware ‘DazzleSpy’ Used in Watering-Hole Attacks
2022-01-25 18:54

A new family of cyber-espionage malware targeting macOS and delivered via a Safari exploit was used against politically active, pro-democracy residents of Hong Kong, in August watering-hole attacks initially discovered by Google TAG, researchers said on Tuesday.

The watering-hole attacks - which TAG reported to Apple that same month - were serving an in-the-wild malware that exploited what was then a zero-day flaw to install a backdoor on the iOS and macOS devices of users who visited Hong Kong-based media and pro-democracy sites.

In a report published Tuesday, ESET researchers, who'd been investigating the campaign prior to TAG's November post, revealed new details about the backdoor, the campaign's targets, the malware employed - namely, a WebKit exploit used to compromise Mac users - and how victims fell into the trap to begin with.

The list of commands it accepts is long: The malware can search for specific files to exfiltrate, enumerate files in the Desktop, Downloads, and Documents folders; execute shell commands; enumerate running processes; steal, rename or move files; log mouse events; observe, start or end remote sessions; and perform the tasks needed to exploit the CVE-2019-8526 vulnerability.

Given the complexity of the campaign's exploits, ESET says that the operators have "Strong technical capabilities." The attackers haven't left a lot of tracks: ESET researchers said they haven't yet been able to find prior analysis about a local privilege-escalation vulnerability used by the exploit, for example, nor anything about the specific WebKit vulnerability used to gain code execution in Safari.

ESET did note that the campaign - with its targeting of politically active, pro-democracy Hong Kong individuals - resembles one from 2020 where LightSpy iOS malware was distributed in the same way: i.e., by using iframe injection on websites for Hong Kong citizens, leading to a WebKit exploit.


News URL

https://threatpost.com/macos-malware-dazzlespy-watering-hole-attacks/177943/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-12-18 CVE-2019-8526 Use After Free vulnerability in Apple mac OS X
A use after free issue was addressed with improved memory management.
local
low complexity
apple CWE-416
7.2