Researchers from ESET have detailed a new and impressive backdoor they named DazzleSpy. The research began in November 2021 after Google’s Threat Analysis Group (TAG) identified watering hole attacks targeting macOS users in Hong Kong. Three main vulnerabilities are used in the attack chain:
- CVE-2021-1789 – WebKit Exploit
- CVE-2021-30869 – Local Privilege Escalation
- CVE-2019-8526 – Local Privilege Escalation
ESET goes on to explain that “DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer.” It is able to dump iCloud KeyChain contents depending on the macOS version, perform data exfiltration, execute shell commands, and run remote screen sessions, among others. The malware uses LaunchCtl for persistence, and drops a binary named softwareupdate into the user home/.local folder. Interestingly, it seems as if the malware authors did not have much concern for operational security as a username appears in a few file paths in the source.