A cyberespionage campaign called DazzleSpy has recently been identified infecting macOS by exploiting a Safari browser’s flaw through a watering hole attack. Based on reports, the threat actors conducted the campaign to target Hong Kong-based politicians and are equipped with over-the-top technical capabilities.
The threat actors targeted a legitimate website of a pro-democracy internet radio station called “D100 Radio” in Hong Kong. They injected compromised iframes into the radio station between late September and early November 2021. Then, they set up a ‘fightforhk[.]com’ website to bait liberation activists into accessing the malicious site.
The next step is to use a tampered code to load a Mach-O file by exploiting WebKit’s remote code execution vulnerability. This vulnerability (CVE-2021-1789) has already been patched by Apple in the early weeks of February last year.
Moreover, the payload activates the operation of the intermediate Mach-O binary that abuses another flaw (CVE-2021-30869) in the kernel component to run the following stage malware as a root.
Researchers said DazzleSpy is a newly bred cyber-espionage campaign packed with several capabilities.
DazzleSpy is packed with features to exfiltrate and control files from a compromised computed network. It also has different features that can inflict severe damage to the target.
A few of the main capabilities of DazzleSpy are that it can gather system information, dump iCloud Keychain, and operate arbitrary shell commands. The actors can achieve the dumping of iCloud by exploiting the CVE-2019-8526 if a marked macOS version is older than the 10.14.4 patch.
Lastly, DazzleSpy can also terminate a remote screen session and remove itself from the compromised systems.
The utilisation of several flaws shows that the threat actors operating the DazzleSpy have strong technical capabilities. Furthermore, the threat actors use watering hole attacks, implying that they are engaged in highly targeted campaigns.
Experts suggest that deploying the right AV solutions and ensuring a correct version management program can help mitigate the effect of the DazzleSpy campaign.
