JavaScript containing exploit code, mac.js, is deployed to trigger the WebKit engine flaw. The attack chain begins by running a script that checks what version of macOS is installed. "It seems that they were the primary target of this threat." "Both distribution methods have something in common: they attract visitors from Hong Kong with pro-democracy sympathies," ESET says.
In addition, fake 'liberate Hong Kong' websites also delivered the malware. The legitimate pro-democracy online radio station D100 was compromised to serve the payload via an iframe between September 30 and November 4, 2021. "Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," Google TAG said.ĮSET has now provided a breakdown of additional attack vectors used and the exploit itself. Now tracked as CVE-2021-30869, Apple has now patched the type confusion zero-day flaw. This attack utilized an XNU privilege escalation vulnerability in macOS Catalina, leading to the execution of the backdoor malware. On November 11, 2021, TAG said watering hole attacks had been spotted on a media outlet and pro-democracy political website targeting Hong Kong residents.
The website was used to facilitate a watering hole attack and to serve a Safari browser exploit to visitors, leading to the deployment and execution of spyware on victim machines.ĭubbed DazzleSpy by ESET researchers, the malware is a backdoor for conducting surveillance on an infected Mac.ĮSET's investigation follows past research conducted by Google's Threat Analysis Group (TAG) security team.
0 kommentar(er)
