Jump to content
  • Booby-trapped sites delivered potent new backdoor trojan to macOS users

    Karlston

    • 477 views
    • 7 minutes
     Share


    • 477 views
    • 7 minutes

    Written from scratch, DazleSpy is the latest advanced piece of Mac malware.

    Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website.

     

    The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include:

     

    • victim device fingerprinting
    • screen capture
    • file download/upload
    • execute terminal commands
    • audio recording
    • keylogging

    Deep pockets, top-notch talent

    Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy—as well as the exploit chain used to install it—is impressive. It also doesn’t appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

     

    “First, they seem to be targeting Macs only,” Eset researcher Marc-Etienne M.Léveillé wrote in an email. “We haven’t seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant.”

    Indeed, researchers from Google’s threat analysis group who first uncovered the exploits said that, based on their analysis of the malware, they “believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code.”

     

    As the Google researchers first noted, the malware was spread in watering-hole attacks that used both fake and hacked sites appealing to pro-democracy activists in Hong Kong. The attacks exploited vulnerabilities that, when combined, gave the attackers the ability to remotely execute code of their choice within seconds of a victim visiting the booby-trapped webpage. All that was required for the exploit to work was for someone to visit the malicious site. No other user action was required, making this a one-click attack.

     

    “That’s kind of the scary part: on an unpatched system the malware would start to run with administrative privileges without the victim noticing,” M.Léveillé said. “Traffic to the C&C server is also encrypted using TLS.”

     

    Apple has since patched the vulnerabilities exploited in this attack.

     

    The exploit chain consisted of a code-execution vulnerability in Webkit, the browser engine for Apple Safari. Eset researchers analyzed one of the watering-hole sites, which was taken down but remains cached in the Internet Archives. The site contained a simple iframe tag that connected to a page at amnestyhk[.]org.

     
     
    dazzle-spy-exploit-1-640x592.png
    Eset

    Macho Mach-O

    The script on the malicious amnestyhk[.]org domain checks for the installed macOS version and redirects visitors to the next stage if their browsers are running on macOS 10.15.2 or newer. This next stage runs a series of JavaScript files that contain more than 1,000 lines of code. The extremely complex exploit gains the ability to read and write to Mac memory by first leaking the memory address of an object and then creating a fake JavaScript object from a specific memory object.

     

    The result: the malware creates two arrays that overlap in memory, allowing it to set a pointer that references a memory location where a malicious Mach-O executable can be executed. Researcher Samuel Groß has more details here and here.

     

    The Mach-O then exploits a second macOS vulnerability to run the remaining stage of the attack as root. This local privilege-escalation vulnerability, tracked as CVE-2021-30869, is further described by researchers Xinru Chi and Tielei Wang here and here.

     

    The Eset researchers aren’t sure what the CVE designation is for the privilege-escalation vulnerability, but based on Google researchers’ findings, they believe it’s CVE-2021-1789. In any event, Eset said the vulnerability no longer exists in current versions of macOS.

     

    To recap, the Mach-O does the following:

     

    1. Downloads a file from the URL supplied as an argument
    2. Decrypts this file using AES-128-EBC and TEA with a custom delta
    3. Writes the resulting file to $TMPDIR/airportpaird and makes it executable
    4. Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable
    5. Uses the same privilege escalation to launch the next stage with root privileges

     

    With DazzleSpy installed, Macs are now fully backdoored. The malware encrypts its communications with a control server and accepts at least 21 different commands, as documented in the following table:

     

    Table 1. DazzleSpy C&C commands

     

    Command name Purpose
    heartbeat Sends heartbeat response.
    info Collects information about compromised computer, including:
    • Hardware UUID and Mac serial number
    • Username
    • Information about disks and their sizes
    • macOS version
    • Current date and time
    • Wi-Fi SSID
    • IP addresses
    • Malware binary path and MD5 hash of the main executable
    • Malware version
    • System Integrity Protection status
    • Current privileges
    • Whether it’s possible to use CVE-2019-8526 to dump the keychain
    searchFile Searches for the specified file on the compromised computer.
    scanFiles Enumerates files in Desktop, Downloads, and Documents folders.
    cmd Executes the supplied shell command.
    restartCMD Restarts shell session.
    restart Depending on the supplied parameter: restarts C&C command session, shell session or RDP session, or cleans possible malware traces (fsck_hfs.log file and application logs).
    processInfo Enumerates running processes.
    keychain Dumps the keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4. The public KeySteal implementation is used.
    downloadFileInfo Enumerates the supplied folder, or provides creation and modification timestamps and SHA-1 hash for a supplied filename.
    downloadFile Exfiltrates a file from the supplied path.
    file File operations: provides information, renames, removes, moves, or runs a file at the supplied path.
    uninstall Deletes itself from the compromised computer.
    RDPInfo Provides information about a remote screen session.
    RDP Starts or ends a remote screen session.
    mouseEvent Provides mouse events for a remote screen session.
    acceptFileInfo Prepares for file transfer (creates the folder at the supplied path, changes file attributes if it exists).
    acceptFile Writes the supplied file to disk. With additional parameters, updates itself or writes files required for exploiting the CVE-2019-8526 vulnerability.
    socks5 Starts or ends SOCKS5 session (not implemented).
    recoveryInfo These seem like file recovery functions that involve scanning a partition. These functions do not seem to work and are probably still in development; they contain lots of hardcoded values.
    recovery

     

    While advanced and potentially dangerous, there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong. That means readers should remember the chances of being infected are extremely low for everyone else.

     

    Those with reason to think they’ve been infected with DazzleSpy can check a list of indicators in a post Eset published on Tuesday to see if they’ve been compromised.

     

     

    Booby-trapped sites delivered potent new backdoor trojan to macOS users


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...