New DazzleSpy Backdoor in Watering-Hole Attacks infects macOS
Reading Time: 2 minutes

According to security researchers, hackers are using the new DazzleSpy backdoor in watering hole attacks to infect Apple’s macOS. 

ESET, a Slovak cybersecurity firm said, hackers with strong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021.

The attacks compromise a legitimate website that belongs to D100 Radio, a pro-democracy internet radio station in Hong Kong. It injects malicious inline frames (aka iframes) between September 30 and November 4, 2021.New DazzleSpy Backdoor in Watering-Hole AttacksThe tampered code acts as a conduit to load a Mach-O file by leveraging a remote code execution bug in WebKit that was fixed by Apple in February 2021 (CVE-2021-1789) in its second phase. 

ESET researchers said, “The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely.” 

After the WebKit remote code execution is successful it subsequently triggers the execution of the intermediate Mach-O binary. This in turn exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) and runs the next stage malware as a root user.

Google TAG detailed the infection sequence started in the installation of an implant called MACMA. ESET has code-named the new macOS backdoor DazzleSpy, a malware delivered to visitors of the D100 Radio site.

ESET further mentioned the attack provides “a large set of functionalities to control and exfiltrate files from, a compromised computer.” 

The other features of DazzleSpy Backdoor

  • Harvesting system information
  • Executing arbitrary shell commands
  • Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
  • Starting or terminating a remote screen session, and
  • Deleting itself from the machine

The researchers concluded, “This campaign has similarities with one from 2020 where LightSpy iOS malware (described by Trend Micro and Kaspersky) was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit.” Though it is not yet clear if both the campaigns were orchestrated by the same group.

Related Articles:
FBI and Cybersecurity Experts Warn About QR Code Scammers
Crypto.com Hacked – Hackers Walk Away with over $30 Million in Various Cryptocurrencies
Emotet Malware Botnet Using Unconventional IP Address Formats to Evade Detection