Security News > 2022 > January > Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks

A previously undocumented cyber-espionage malware aimed at Apple's macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong.

"The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely," ESET researchers said.

The success of the WebKit remote code execution subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component to run the next stage malware as a root user.

While the infection sequence detailed by Google TAG culminated in the installation of an implant called MACMA, the malware delivered to visitors of the D100 Radio site was a new macOS backdoor that ESET has codenamed DazzleSpy.

Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4.

"This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit," the researchers said.

News URL

https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html