Pro-democracy org hijacked to become macOS spyware distributor
Researchers have reportedly uncovered a new strain of macOS malware that is being distributed in attacks against visitors to a Hong Kong pro-democracy radio station website. The website was used to facilitate a watering hole-style attack and serve a Safari browser to exploit to visitors. Therefore, the malware was deployed and executed on victim machines. ESET has been investigating the attacks, dubbed DazzleSpy, and reported that the malware is a backdoor used to conduct surveillance on an infected Mac. ESET’s investigation goes hand in hand with research conducted by Google’s Threat Analysis Group (TAG). Earlier this year, TAG had reported detecting watering hole attacks on media outlet and pro-democracy websites primarily targeting Hong Kong residents.
In addition, the security researchers report that the attack leverages an XNU privilege escalation vulnerability in macOS Catalina. This leads to the malware’s execution. The vulnerability has since been patched by Apple to limit the threat the flaw poses to its customers. ESET has provided an explanation of additional attack vectors used by the cybercriminals, and the exploit itself. The target in question is pro-democracy online radio station D100. D100 was reportedly compromised to deliver the payload between September 40 and November 4.