Researchers have found a new, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once they landed on a malicious website.
The developers behind the software that was written from scratch have a lot of resources and expertise. Researchers from security firm Eset have named it DazzleSpy because it provides an array of advanced capabilities that give attackers the ability to fully monitor and control Macs. Features include:
The universe of advanced macOS backdoors is smaller than that of advanced Windows backdoors. The exploit chain used to install it is impressive. It doesn't seem to have a counterpart for Windows. Eset said that the people who developed DazzleSpy are unusual.
They seem to be targeting Macs only, according to an email from an Eset researcher. They have the resources to develop complex exploits and their own spyware, which is significant.
Researchers from the threat analysis group who first uncovered the exploits said that they believed the threat actor to be a well-resourced group with access to their own software.
The watering-hole attacks used both fake and hacked sites to lure pro-democracy activists in Hong Kong. The attackers were able to remotely execute code of their choice within seconds of a victim visiting the booby-trapped webpage. The only thing needed for the exploit to work was for someone to visit the malicious site. This was a one-click attack because no other user action was required.
It's kind of scary, that on an unpatched system the malware would start to run with administrative privileges without the victim noticing.
Apple patched the vulnerabilities that were used in the attack.
The exploit chain consisted of a vulnerability in the Webkit browser engine. The watering-hole site was taken down but remains in the Internet Archives. The site had a simple iframe tag that was connected to a page.