The booby-trapped sites delivered a powerful new backdoor Trojan to macOS users

Close-up photo of a Macintosh laptop keyboard.

Researchers have discovered advanced, never-before-seen malware for macOS that was installed using exploits that were almost impossible for most users to detect or stop once they landed on a malicious website.

The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and experience. DazzleSpy, as researchers at security firm Eset called it, provides a variety of advanced capabilities that give attackers the ability to fully monitor and control infected Macs. Features include:

  • fingerprinting of the victim’s device
  • the screenshot
  • download/upload files
  • run terminal commands
  • audio recording
  • keylogging

Deep pockets, top tier talent

Mac malware has become more common over the years, but the universe of macOS advanced backdoors is still considerably smaller than that of advanced Windows backdoors. The sophistication of DazzleSpy, as well as the exploit chain used to install it, is impressive. It also doesn’t seem to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

“First, it appears they only target Macs,” Eset researcher Marc-Etienne M.Léveillé wrote in an email. “We have not seen payloads for Windows or hints that it would exist. Second, they have the resources to develop complex exploits and their own espionage malware, which is quite significant.”

In fact, researchers from Google’s threat analysis group who first discovered the feats said that based on their analysis of the malware, “they believe this threat actor is a well-resourced group, likely backed by the state, with access to its own software engineering team based on payload code quality.”

As Google researchers first noted, the malware was spread in watering-hole attacks using fake and hacked sites that attracted pro-democracy activists in Hong Kong. The attacks exploited vulnerabilities that, when combined, gave attackers the ability to remotely execute code of their choice seconds after the victim visited the booby-trapped web page. All that was required for the exploit to work was for someone to visit the malicious site. No other user action was required, so this was a one-click attack.

“That’s the scary part: on an unpatched system, the malware would start running with administrative privileges without the victim realizing it,” said M. Léveillé. “Traffic to the C&C server is also encrypted using TLS.”

Apple has since patched the vulnerabilities exploited in this attack.

The exploit chain consisted of a code execution vulnerability in Webkit, the browser engine for Apple Safari, as well as Google’s Chrome and Chromium. Eset researchers analyzed one of the troughs, which was knocked down but stays in cache in the Internet Archives. The site contained a simple iframe tag that connected to a page on amnestyhk[.]org.

Leave a Reply

Your email address will not be published.