Threat Research

Watering hole deploys new macOS malware, DazzleSpy, in Asia

Securonix

ESET analyzes a watering-hole campaign that delivers a new macOS backdoor named DazzleSpy via a WebKit/Safari exploit chain. Targets were Hong Kong pro-democracy individuals, with infection hosted on amnestyhk.org and other compromised sites like fightforhk.com and bc.d100.net. #DazzleSpy #WateringHole #amnestyhk #fightforhk #D100 #HongKong #macOS #WebKit #Safari

Keypoints

  • The campaign used watering-hole sites targeting Hong Kong activists, distributing the exploit via amnestyhk.org and compromised pages on fightforhk.com and bc.d100.net.
  • The infection chain checks macOS version (10.15.2+) and loads Safari exploit code (mac.js) with Capstone.js embedded, prepended in mac.js.
  • The WebKit exploit relies on memory corruption primitives (addrof and fakeobj) and a JIT-related bug to achieve code execution, with references to iOS and PAC-enabled devices in comments.
  • Privilege escalation to root is achieved via a macOS LPE vulnerability (CVE-2021-30869), enabling the next stage to run with root privileges.
  • The final payload, DazzleSpy, is a macOS backdoor that persists via a Launch Agent and communicates with a hardcoded C2 server over TLS on port 5633.
  • DazzleSpy can gather extensive system data, perform file searches, exfiltrate files, dump keychain data, and remotely control the host, with end-to-end encryption for C2 traffic.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Use of domain names such as amnestyhq[.]org on compromised web servers. – [ “Domain names such as amnestyhq[.]org were acquired to use on compromised web servers.” ]
  • [T1583.004] Acquire Infrastructure: Server – Servers (or virtual servers) rented to serve WebKit exploits and used as C2 servers for DazzleSpy. – [ “Servers (or virtual servers) were rented to serve WebKit exploits and used as C&C servers for DazzleSpy.” ]
  • [T1584.004] Compromise Infrastructure: Server – A legitimate website was compromised to add an iframe loading malicious JavaScript code. – [ “A legitimate website was compromised to add an iframe loading malicious JavaScript code.” ]
  • [T1587.001] Develop Capabilities: Malware – DazzleSpy is macOS malware developed to steal information from its victims. – [ “DazzleSpy is macOS malware developed to steal information from its victims.” ]
  • [T1587.003] Develop Capabilities: Digital Certificates – DazzleSpy verifies the authenticity of its C2 server using an X.509 certificate. – [ “DazzleSpy verifies the authenticity of its C2 server using an X.509 certificate.” ]
  • [T1587.004] Develop Capabilities: Exploits – An undocumented Safari exploit was used to compromise the targets. – [ “An undocumented Safari exploit was used to compromise the targets.” ]
  • [T1608.004] Stage Capabilities: Drive-by Target – This operation compromised a website that is likely to be visited by its targets, to distribute malware. – [ “This operation compromised a website that is likely to be visited by its targets, to distribute malware.” ]
  • [T1189] Initial Access: Drive-by Compromise – The compromised website served the exploit to visitors using Safari on a Mac. – [ “The compromised website served the exploit to visitors using Safari on a Mac.” ]
  • [T1569] Execution: System Services – The exploit sends Mach messages to launchd to remove the quarantine flag and to kuncd to launch the malware. – [ “The exploit sends Mach messages to launchd to remove the quarantine flag and to kuncd to launch the malware.” ]
  • [T1543.001] Persistence: Create or Modify System Process: Launch Agent – DazzleSpy persists by installing a Launch Agent. – [ “DazzleSpy persists by installing a Launch Agent.” ]
  • [T1068] Privilege Escalation: Exploitation for Privilege Escalation – An LPE exploit for macOS is used to elevate privileges to root. – [ “An LPE exploit for macOS is used to elevate privileges to root.” ]
  • [T1620] Defense Evasion: Reflective Code Loading – The LPE exploit downloading the next stage is loaded and executed in memory only. – [ “The LPE exploit downloading the next stage is loaded and executed in memory only.” ]
  • [T1555.001] Credential Access: Keychain – DazzleSpy can steal credentials from the macOS keychain. – [ “DazzleSpy can steal credentials from the macOS keychain.” ]
  • [T1083] Discovery: File and Directory Discovery – DazzleSpy can enumerate files in specific folders. – [ “DazzleSpy can be used to enumerate files in specific folders.” ]
  • [T1057] Discovery: Process Discovery – DazzleSpy can obtain the list of running processes. – [ “DazzleSpy can obtain the list of running processes.” ]
  • [T1082] Discovery: System Information Discovery – DazzleSpy can obtain the macOS version. – [ “DazzleSpy can obtain the macOS version.” ]
  • [T1016] Discovery: System Network Configuration Discovery – DazzleSpy can obtain the IP address and Wi-Fi SSID. – [ “DazzleSpy can obtain the IP address and Wi-Fi SSID.” ]
  • [T1033] Discovery: System Owner/User Discovery – DazzleSpy can obtain the current username from a compromised Mac. – [ “DazzleSpy can obtain the current username from a compromised Mac.” ]
  • [T1124] Discovery: System Time Discovery – DazzleSpy can obtain the system time on a compromised Mac. – [ “DazzleSpy can obtain the system time on a compromised Mac.” ]
  • [T1005] Collection: Data from Local System – DazzleSpy can search for documents on the compromised system. – [ “DazzleSpy can search for documents on the compromised system.” ]
  • [T1113] Collection: Screen Capture – DazzleSpy has the ability to record screen activity. – [ “DazzleSpy has the ability to record screen activity.” ]
  • [T1071] Command and Control: Application Layer Protocol – DazzleSpy uses a custom JSON-based protocol for its C2 communications. – [ “DazzleSpy uses a custom JSON-based protocol for its C2 communications.” ]
  • [T1132.001] Data Encoding: Standard Encoding – DazzleSpy uses base64 to encode parts of its C2 communications. – [ “DazzleSpy uses base64 to encode parts of its C2 communications.” ]
  • [T1573] Encrypted Channel – TLS encryption. – [ “TLS encryption.” ]
  • [T1571] Non-Standard Port – DazzleSpy uses TCP port 5633. – [ “DazzleSpy uses TCP port 5633.” ]
  • [T1041] Exfiltration: Exfiltration Over C2 Channel – DazzleSpy exfiltrates data over its C2 communications channel. – [ “DazzleSpy exfiltrates data over its C2 communications channel.” ]

Indicators of Compromise

  • [SHA-1] Samples – F3772A23595C0B51AE32D8E7D601ACBE530C7E97, 95889E0EF3D31367583DD31FB5F25743FE92D81D, and EE0678E58868EBD6603CC2E06A134680D2012C1B
  • [Filename] MacOS malware artifacts – mac.js, server.enc
  • [Filename] Persistence artifacts – com.apple.softwareupdate.plist, $HOME/.local/softwareupdate
  • [URL] Safari exploit endpoints – https://amnestyhk[.]org/ss/defaultaa.html, https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
  • [URL] Additional exploit endpoints – https://amnestyhk[.]org/ss/mac.js, https://amnestyhk[.]org/ss/server.enc
  • [IP] DazzleSpy C2 server – 88.218.192[.]128:5633
  • [Certificate] C2 CA certificate – SHA-256: 1F862B89CC5557F8309A6739DF30DC4AB0865668193FDFF70BA93F05D4F8C8B8

Read more: https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/