Booby-trapped sites delivered potent new backdoor trojan to macOS users

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website.

The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include:

• victim device fingerprinting
• screen capture
• file download/upload
• execute terminal commands
• audio recording
• keylogging

Deep pockets, top-notch talent

Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy—as well as the exploit chain used to install it—is impressive. It also doesn’t appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

“First, they seem to be targeting Macs only,” Eset researcher Marc-Etienne M.Léveillé wrote in an email. “We haven’t seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant.”

Indeed, researchers from Google’s threat analysis group who first uncovered the exploits said that, based on their analysis of the malware, they “believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code.”

As the Google researchers first noted, the malware was spread in watering-hole attacks that used both fake and hacked sites appealing to pro-democracy activists in Hong Kong. The attacks exploited vulnerabilities that, when combined, gave the attackers the ability to remotely execute code of their choice within seconds of a victim visiting the booby-trapped webpage. All that was required for the exploit to work was for someone to visit the malicious site. No other user action was required, making this a one-click attack.

“That’s kind of the scary part: on an unpatched system the malware would start to run with administrative privileges without the victim noticing,” M.Léveillé said. “Traffic to the C&C server is also encrypted using TLS.”

Apple has since patched the vulnerabilities exploited in this attack.

The exploit chain consisted of a code-execution vulnerability in Webkit, the browser engine for Apple Safari. Eset researchers analyzed one of the watering-hole sites, which was taken down but remains cached in the Internet Archives. The site contained a simple iframe tag that connected to a page at amnestyhk[.]org.

Macho Mach-O

The script on the malicious amnestyhk[.]org domain checks for the installed macOS version and redirects visitors to the next stage if their browsers are running on macOS 10.15.2 or newer. This next stage runs a series of JavaScript files that contain more than 1,000 lines of code. The extremely complex exploit gains the ability to read and write to Mac memory by first leaking the memory address of an object and then creating a fake JavaScript object from a specific memory object.

The result: the malware creates two arrays that overlap in memory, allowing it to set a pointer that references a memory location where a malicious Mach-O executable can be executed. Researcher Samuel Groß has more details here and here.

The Mach-O then exploits a second macOS vulnerability to run the remaining stage of the attack as root. This local privilege-escalation vulnerability, tracked as CVE-2021-30869, is further described by researchers Xinru Chi and Tielei Wang here and here.

The Eset researchers aren’t sure what the CVE designation is for the privilege-escalation vulnerability, but based on Google researchers’ findings, they believe it’s CVE-2021-1789. In any event, Eset said the vulnerability no longer exists in current versions of macOS.

To recap, the Mach-O does the following:

1. Downloads a file from the URL supplied as an argument
2. Decrypts this file using AES-128-EBC and TEA with a custom delta
3. Writes the resulting file to $TMPDIR/airportpaird and makes it executable
4. Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable
5. Uses the same privilege escalation to launch the next stage with root privileges

With DazzleSpy installed, Macs are now fully backdoored. The malware encrypts its communications with a control server and accepts at least 21 different commands, as documented in the following table:

Table 1. DazzleSpy C&C commands

While advanced and potentially dangerous, there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong. That means readers should remember the chances of being infected are extremely low for everyone else.

Those with reason to think they’ve been infected with DazzleSpy can check a list of indicators in a post Eset published on Tuesday to see if they’ve been compromised.