Security researchers have analyzed a now-patched malware attack that was used to compromise Mac devices belonging to Hong Kong pro-democracy activists in November.
The attacks took place in 2021 and relied on a "watering-hole" technique, which involves compromising websites that potential targets might be interested in. Google identified the threat in November 2021, after Apple had patched it in September of that year.
According to security researchers at ESET, the attack used several chains of iOS and macOS exploits to pull off the campaign, which granted root access to the attackers and allowed them to collect information on a victim's device.
The attack was deployed on pro-democracy websites, including a fake site possibly created by the attackers and a compromised website belonging legitimate Hong Kong radio station.
From there, the attack involves a complex WebKit exploit to gain code execution privileges in the browser. ESET notes that the exploit had more than 1,000 lines of code. Some of the code, which was commented out, suggests that the attack could have been deployable on both iOS and on newer iPhone models with Pointer Authentication Code security protections.
Once code execution was granted, the next stage of the attack leveraged an executable file object that exploited another vulnerability to get privilege escalation. This vulnerability granted the attackers root access to a device.
When the attackers gained root access, the next stage involved deploying DazzeSpy, a full-featured backdoor that allowed them to steal files from a computer, perform screen captures, execute commands in the terminal, and log keystrokes. It also gained persistence by adding a plist file to the LaunchAgents folder.
The DazzleSpy malware was also hardcoded to communicate to a single command and control server.
Given the complexity of the attack and the exploits used, ESET theorizes that the group behind it likely has "strong technical capabilities." Some of the internal error messaging and other artifacts were in Chinese, suggesting an origin in that country.
As mentioned earlier, Apple patched the flaw used in the attack on September 23, 2021.