DazzleSpy: macOS malware used in watering hole attacks to compromise Macs

Researchers have discovered a new macOS malware dubbed “DazzleSpy” used in watering hole attacks in Asia to compromise Mac computers.

According to ESET researchers, a pro-democracy radio station website in Hong Kong was compromised and used to deliver Safari exploits to install malware on visitors’ Mac computers. Attackers have been looking to attract Hong Kong visitors with pro-democracy sympathies to visit various infected sites.

ESET noted that the WebKit exploit is used to infect Macs to gain code execution in the browser “is quite complex and had more than 1,000 lines of code.” However, the security firm was not able to pin down the precise CVE vulnerable in this attack, but was able to confirm the issue affects Safari versions prior to 14.1.

In the next phase of the attack (and after code execution is successful), a Mach-O is loaded into memory and executed. Mach-O then exploits an XNU local privilege escalation vulnerability (CVE-2021-30869) to run as root.

Apple patched the XNU vulnerability CVE-2021-30869 with security updates iOS 12.5.5 and macOS Catalina 2021-006 last September.

On a similar note, the Cybersecurity and Infrastructure Security Agency (CISA) has recently published 8 new actively exploited vulnerabilities, three of those are also related to unpatched XNU vulnerabilities dating back to 2014.

DazzleSpy

After analyzing the payload, ESET discovered the new malware, that they named DazzleSpy:

“DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer. Our sample is a Mach-O binary file compiled for x86_64 CPU architecture.”

After connecting to a command-and-control (C&C) server, the malware then performs a TLS handshake and delivers commands from the C&C server to the victims’ Macs via a custom protocol. ESET also provided a large number of C&C commands the actors use.

The actors also implemented additional safeguards to hide communications to the C&C server.

“It’s also interesting that end-to-end encryption is enforced in DazzleSpy and it won’t communicate with its C&C server if anyone tries to eavesdrop on the unencrypted transmission by inserting a TLS-inspection proxy between the compromised system and the C&C server,” ESET said.

Finally, the security firm noted the campaign has similarities with a 2020 campaign that used LightSpy iOS malware.

Readers can check out the full report on the full exploit chain and indicators of compromise (IoCs) in the ESET blog post.