October 3, 2023

A watering-hole attack on websites was infecting site visitors with novel Mac malware that could steal data, record audio and more, revealed researchers with Google’s Threat Analysis Group.

Watering hole attacks aim to compromise a specific group of users by infecting websites they typically visit and luring them to the malicious site. This particular attack leveraged an XNU privilege escalation vulnerability CVE-2021-30869 that led to the installation of a previously unreported backdoor on victims’ systems and impacted websites for an unnamed media outlet and a prominent pro-democracy labor and political group.


The compromised websites contained two iframes that served exploits from an attacker-controlled server: one for iOS and one for macOS. Researchers were unable to uncover the full exploit chain for iOS; however, they discovered that it leveraged a type confusion issue (CVE-2019-8506) to achieve code execution in Safari. Researchers also found that the exploit chain utilized Ironsquirrel, which is an open-source framework that delivers encrypted browser exploits to the victim’s browser.

The macOS exploit, used a different framework than Ironsquirrel. Researchers observed a simple HTML page loading two scripts. The first loading script was used for the exploit chain. This exploit chain combined a remote code execution flaw in WebKit (CVE-2021-1789), previously patched local-privilege escalation vulnerability (CVE-2021-30869) in XNU, an operating system kernel developed by Apple. The latter flaw stems from a type confusion issue that could allow malicious applications to execute arbitrary code with kernel privileges.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.”

The other loading script was for public tool Capstone.js, which is a port of the Capstone disassembler framework for JavaScript. While Capstone is typically used for binary analysis, the attackers here utilized it to search for the addresses of dlopen and dlsym in memory. After the WebKit RCE succeeded, an embedded Mach-O binary would be loaded into memory, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory.

The attack delivered Mac malware called OSX.CDDS, which was loaded in the background of victims’ machines via launchtl. It uses a publish subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2.


The malware also contains several components, some of which seem to be configured as modules, for carrying out functionalities. These capabilities include victim device fingerprinting, screen capture, file download and upload, executing terminal commands, audio recording and keylogging.

Apple flaws have previously been leveraged as part of watering-hole attacks, including the discovery by Google of hacked sites in 2019 being used in watering-hole attacks against their visitors, using an iPhone zero-day.

Leave a Reply

%d bloggers like this: