fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New DazzleSpy Malware Targets MacOS users in Watering Hole Attack

New DazzleSpy Malware Targets MacOS users in Watering Hole Attack

A new watering hole attack has been discovered targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malware.

As detailed by researchers at ESET who have been investigating the campaign, it’s part of the same operation that Google’s Project Zero disclosed two weeks ago, which leveraged Chrome and Windows zero-days to hack into Windows and Android devices.

ESET’s report instead focuses on the exploitation of a WebKit flaw in the Safari web browser, essentially adding the final piece in the puzzle and confirming that the campaign targeted all major platforms.

Watering hole attacks involve the infection of a legitimate website with malware, targeting the demographic of that site, and in some cases, only specific IP addresses.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

Targeting activists

Based on the websites used to propagate the exploits, the campaign targets freedom of speech advocates, independence, and political activists.

The central Chinese administration has been restricting political rights and special privileges enjoyed by citizens of Hong Kong in recent years, and allegations of spying activists have been abundant.

This is not the first time the Chinese state has been accused of conducting aggressive surveillance against minorities by using malware deployed through watering hole attacks.

In this case, one of the websites that dropped exploits to unsuspecting victims is that of the D100 internet radio, a pro-democracy station that fosters anti-Beijing sentiments.

Website of D100 radio
Website of D100 radio

The other example is a fake website that attempted to lure liberation activists using the “fightforhk[.]com” domain that was only registered in October 2021.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Fake activists portal
Fake activists portal
Source: ESET

The macOS exploit chain

Both of these websites, and possibly more, feature a malicious iframe that points to a domain that checks the macOS version and redirects to the next stage, which loads the exploit JavaScript code.

Malicious iframe that triggers the beginning of the exploit
Malicious iframe that triggers the beginning of the exploit
Source: ESET

The exploit targets CVE-2021-1789, an arbitrary code execution flaw triggered when processing web content and affects Safari versions below 14.1.

“The exploit relies on a side effect caused by modifying an object property to be accessible via a “getter” function while enumerating the object’s properties in JIT-compiled code,” explains ESET’s report

“The JavaScript engine erroneously speculates that the value of the property is cached in an array and is not the result of calling the getter function.”

The exploit implements two primitives (‘addrof’ and ‘fakeobj’) to gain memory read and write access, while it also contains code that helps bypass mitigations like ‘Gigacage’ and loads the next stage.

The next step is a privilege escalation to root, taking place through a Mach-O file loaded into memory and executed.

The vulnerability exploited to achieve privilege escalation is CVE-2021-30869, which enables an app to execute arbitrary code with kernel privileges.

In summary, the executed Mach-O does the following:

  • Downloads a file from the URL supplied as an argument
  • Decrypts this file using AES-128-EBC and TEA with a custom delta
  • Writes the resulting file to $TMPDIR/airportpaird and makes it executable
  • Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable
  • Uses the same privilege escalation to launch the next stage with root privileges

DazzleSpy

The final step in the process is to drop DazzleSpy, a feature-rich backdoor that includes a wide range of malicious capabilities.

DazzleSpy establishes persistence on the compromised system by adding a new Property List file to the ‘LaunchAgents’ folder. Its executable hides in $HOME/.local/ under the misleading name ‘softwareupdate’.

New Property List entry
New Property List entry
Source: ESET

The malware features a hardcoded C2 server address and can accept several commands from it, with the most important being:

  • info – Collect system information like IP address and Wi-Fi SSID.
  • ScanFiles – Enumerate files in Desktop, Downloads, and Documents folders
  • cmd – Execute shell command
  • RDP – Start a remote screen session
  • downloadFile – Exfiltrate a file from the system
  • processInfo – Enumerate running processes
  • acceptFile – Writes a file to disk

ESET comments that the DazzleSpy contains several artifacts resulting from sloppy code writing and disregard for operational security.

There are plenty of clues that point to the backdoor’s origin, like the internal error messages, which are written in Chinese, and the conversion of the exfiltrated timestamps to the China Standard Time zone before reaching the C2.

Internal error message in Chinese
Internal error message in Chinese
Source: ESET

Finally, DazzleSpy features end-to-end encryption in its communications, and if a middle-man inserts a TLS-inspection proxy in-between, it stops sending data to the C2.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us