Researchers from ESET have detailed a new and impressive backdoor they named DazzleSpy. The research began in November 2021 after Google’s Threat Analysis Group (TAG) identified watering hole attacks targeting macOS users in Hong Kong. Three main vulnerabilities are used in the attack chain:
- CVE-2021-1789 – WebKit Exploit
- CVE-2021-30869 – Local Privilege Escalation
- CVE-2019-8526 – Local Privilege Escalation
ESET goes on to explain that “DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer.” It is able to dump iCloud KeyChain contents depending on the macOS version, perform data exfiltration, execute shell commands, and run remote screen sessions, among others. The malware uses LaunchCtl for persistence, and drops a binary named softwareupdate into the user home/.local folder. Interestingly, it seems as if the malware authors did not have much concern for operational security as a username appears in a few file paths in the source.
A strong patch management program helps with mitigating threats such as this. While a zero-day vulnerability appears in the attack chain, two of the vulnerabilities have been patched with regular updates. Another common technique of utilizing LaunchAgents for persistence will provide opportunities to identify malicious activity on a system if appropriate detections and alerting processes are in place. Referencing the macOS Mitre ATT&CK Framework is a very effective start to defending macOS endpoints as most attacks follow the same tactics, techniques and procedures (TTPs) in one form or another.