DazzleSpy was used to target Hong Kong democracy activists, initially through a fake pro-democracy website, and later through a real one, in a so-called watering hole attack …
We learned yesterday about a hijack of the Mac webcam. That discovery was, thankfully, made by a cybersecurity student who reported it to Apple. But DazzleSpy was used in the wild.
Google’s Threat Analysis Group (TAG) first reported the attack back in November of last year.
To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor […]
Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.
Watering hole attacks are so named because they are used at places where targets are likely to gather, such as particular types of websites.
DazzleSpy Mac malware
Although Google revealed some details at the time, it turns out that security researchers at ESET discovered it first, and the firm has now released more detailed information.
Based on the websites used for the attack, it’s not exactly hard to work out who was behind it.
It was reported by Felix Aimé from SEKOIA.IO that one of the websites used to propagate the exploits was a fake website targeting Hong Kong activists. We can read on its home page “Liberate Hong Kong, the revolution of our times”. The very recent registration date of the fightforhk[.]com domain, October 19th, 2021, and the fact that the website is no longer accessible, supports that idea. We could also confirm that the Internet Archive cached a copy of the web page on November 13th.
ESET researchers found another website, this time legitimate but compromised, that also distributed the same exploit during the few months prior to the Google TAG publication: the online, Hong Kong, pro-democracy radio station D100. As seen in Figure 2, an iframe was injected into pages served by bc.d100[.]net – the section of the website used by subscribers – between September 30th and November 4th 2021.
There is also Chinese language in the code, and dates and times of information sent back to the server are converted to Shanghai’s time zone.
The attack used a WebKit exploit. The exploit is complex – with more than 1,000 lines of code – so you’ll need to read the blog post for a detailed understanding, but the tl;dr summary is this:
- Downloads a file from the URL supplied as an argument
- Decrypts this file using AES-128-EBC and TEA with a custom delta
- Writes the resulting file to $TMPDIR/airportpaird and makes it executable
- Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable
- Uses the same privilege escalation to launch the next stage with root privileges
This gives the malware admin privileges without user interaction.
The malware itself is extremely powerful, allowing the attacker access to multiple commands:
- searchFile Searches for the specified file on the compromised computer.
- scanFiles Enumerates files in Desktop, Downloads, and Documents folders.
- cmd Executes the supplied shell command.
- restartCMD Restarts shell session.
- processInfo Enumerates running processes.
- keychain Dumps the keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4. The public keychain KeySteal implementation is used.
- downloadFileInfo Enumerates the supplied folder, or provides or creation and modification timestamps and SHA-1 hash for a supplied filename.
- downloadFile Exfiltrates a file from the supplied path.
- file File operations: provides information, renames, removes, moves, or runs a file at the supplied path.
- RDP Starts or ends a remote screen session.
- acceptFileInfo Prepares for file transfer (creates the folder at the supplied path, changes file attributes if it exists).
- acceptFile Writes the supplied file to disk. With additional parameters, updates itself or writes files required for acceptFile exploiting the CVE-2019-8526 vulnerability.
Apple patched the vulnerabilities used – as ever, a reminder to keep your devices updated.
FTC: We use income earning auto affiliate links. More.