
A cyber-espionage malware targetting Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong which is undocumented previously dubbed DazzleSpy.
The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames.
The tampered code acted as a conduit to load a Mach-O file by leveraging a RCE bug in WebKit that was fixed by Apple CVE-2021-1789. The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code.
The success of the WebKit RCE subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component CVE-2021-30869 to run the next stage malware as a root user.
The features of the malware include as below.
- Harvesting system information
- Executing arbitrary shell commands
- Dumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4
- Starting or terminating a remote screen session, and
- Deleting itself from the machine
This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit.
Indicators of Compromise (IoCs)
SHA-1
95889E0EF3D31367583DD31FB5F25743FE92D81D
EE0678E58868EBD6603CC2E06A134680D2012C1B
Filenames
$HOME/Library/LaunchAgents/com.apple.softwareupdate.plist
$HOME/.local/softwareupdate
$HOME/.local/security.zip
$HOME/.local/security/keystealDaemon
$HOME/.local/security/libkeystealClient.dylib
Network
URLs of Safari exploit
https://amnestyhk[.]org/ss/defaultaa.html
https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
https://amnestyhk[.]org/ss/mac.js
https://amnestyhk[.]org/ss/server.enc
DazzleSpy C&C server
88.218.192[.]128:5633