Google’s Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people.
TAG considers the hack to be a watering hole attack. ‘Watering hole’ means that a specific attack was designed for compromising users within a particular group of users by infecting websites they typically used.
The hackers exploited an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina. Apple patched the bug once TAG informed the company about it. Once root access was gained, the attackers downloaded a payload that ran silently in the background on infected Macs. The design of the malware suggests a well-resourced attacker, according to Google TAG.
According to Erye Hernandez, author of the blog post about the exploit, the websites leveraged for the attacks contained two iframes that served exploits from an attacker-controlled server. One for iOS and the other for macOS.
While exploits targeting iOS users employed a framework based on Ironsquirrel to encrypt exploits delivered to the victim’s browser, macOS exploits took a different path.
The landing page contained a simple HTML page loading two scripts one for Capstone.js and another for the exploit chain. The javascript starting the exploit chain checks which version of the macOS visitors were using and targeted specifically ones using Catalina.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” Hernandez wrote.
According to the research, exploits could have been used for capturing victims’ keystrokes, fingerprinting, screenshots, file downloads, audio recording, and executing terminal commands.
“The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2,” Hernandez wrote.
(Image Courtesy: www.d1m75rqqgidzqn.cloudfront.net)