New macOS Malware Planted via Pro-Democracy Hong Kong RadioDazzleSpy Conducting a Wide Variety of Cyberespionage Actions
A new cyberespionage malware dubbed "DazzleSpy" has been found targeting macOS and iOS users in Hong Kong. The malware is being planted through pro-democracy radio station D100's news website, which was earlier compromised through a watering hole campaign that exploited a Safari browser vulnerability, researchers from cybersecurity firm ESET report.
"The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code. It's interesting to note that some code suggests the vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer," says Marc-Etienne Léveillé, a malware researcher at ESET who investigated the watering hole attack.
DazzleSpy is capable of a wide variety of cyberespionage actions, according to the researchers, including exfiltration of compromised system information, starting a remote screen session, writing a supplied file to disk, keylogging and audio recording. Given its capabilities, they say, the malware is likely used for spying on visitors of this website who are politically active and pro-democracy supporters.
In November, Google's Threat Analysis Group reported a watering hole campaign that was exploiting a zero-day vulnerability in the Safari web browsers running on macOS and distributing a never-before-seen malware (see: Mac Zero-Day Alert: Watering Hole Attacks in the Wild).
At the time, Erye Hernandez, a team member of Google Threat Analysis Group, said, "Hong Kong websites of a media outlet and a prominent pro-democracy labor and political group" were the targets of this campaign. The ESET researchers confirm that the same watering hole campaign compromised the D100 radio station's subdomain bc[.]d100[.]net - which is a subscription page of the platform, according to its investigation. This statement concurs with Google's previous disclosure.
ESET says that it was observing the campaign at the same time that Google published its observations, but it was able to find more details on both the targets and the malware being used in the attacks.
Google had found 10 URLs used for the malware's delivery and added it to its blacklisting service Safe Browsing. The URLs were all malicious sites that were designed from scratch for delivering the malware. But in this new report, the researchers say the malware was implanted on a legitimate website after the attackers gained higher privileges.
Malware's Modus Operandi
Thomas Reed, director of Mac and mobile at Malwarebytes, says DazzleSpy malware infects machines using a combination of two vulnerabilities - one in the WebKit, which is the framework that powers Safari, and one a privilege escalation vulnerability in macOS.
Reed compares the attack method of DazzleSpy with the previously known CDDS or MACMA malware that Google mentions in its blog, but says the two pieces of malware have different code and capabilities and are also very different in terms of what gets installed. CDDS, he says, distributes multiple executable files across a couple of different folders, while the DazzleSpy payload is a single, smaller file that can also install the open-source KeySteal exploit on older systems, to steal keychain data.
At the time of the Google disclosure, Apple issued patches and subsequent updates for fixing the vulnerabilities exploited, and ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.
Neither ESET nor Google is sure of the identity of the threat actor behind this new malware campaign, but Léveillé says the complexity of the exploits indicates that the group behind the operation has "strong technical capabilities."
Reed says the specific targeting of pro-democracy supporters in Hong Kong is not unusual given that "there's a long history of suspected Chinese government use of malware to track oppressed groups, spanning many years, and the pattern of usage [of this malware] makes it extremely likely" that the government is involved. But definitive attribution is difficult without a lot of corroborating data.
Although the ESET researchers do not openly attribute the malware to China, they say that the threat actor involved, after exfiltrating the current date and time on a compromised system, converted the obtained date to the Asia/Shanghai time zone - or China Standard Time - before sending it to the command-and-control server. "In addition, the DazzleSpy malware contains a number of internal messages in Chinese," the researchers say.
But Reed says threat actors have been known to insert Chinese- or Russian-language strings into executables in an attempt at misdirection, so "the presence of Chinese strings in the executable are far from incontrovertible evidence of Chinese government's involvement."
Hong Kong's Anti-Espionage Law
Meanwhile, Hong Kong has decided to "enhance" its spy law to prevent acts of "espionage and theft of state secrets," according to the Hong Kong Free Press, which quotes Chris Tang, the country's security secretary/chief, who addressed the legislative council on Wednesday.
Tang told the council that Hong Kong's existing Official Secrets Ordinance was written years ago and is inadequate to completely address the criminal acts of espionage and theft of state secrets at present, the Free Press reports. He said the act is still being studied, however, and any chance of its amendment would come by the end of the year, according to the newspaper.
The Hong Kong government said the overhaul would ensure the city's stability and prosperity, but the changes have also prompted international condemnation as they made it near-impossible for pro-democracy candidates to stand in elections, the Free Press reports.