A watering hole attack has leaked to the news website of a pro-democracy radio station in Hong Kong, according to data from the ESET research team. The attackers use a Safari program that installs the DazzleSpy malicious cyber-espionage software on the Mac computers of visitors to the site. The targets are thought to be possibly politically active, pro-democracy individuals in Hong Kong. The vulnerability is also found in iOS, including devices such as the iPhone XS and newer models. The DazzleSpy payload is capable of performing many cyber-espionage actions. ESET Research says the group behind this operation has strong technical skills.
ESET researchers discovered that the news website of Hong Kong pro-democracy radio station D100 was hacked to embed a Safari program that installs the malicious cyber-espionage software on the Mac computers of visitors to the site. The malware that infiltrates the site’s vulnerable visitors is a new macOS malware, which ESET has dubbed DazzleSpy. The malicious code has the ability to collect a wide range of sensitive and personal information.
The first report of water resource attacks targeting Safari web browsers on macOS was published by Google last October. ESET researchers were investigating the attacks at the same time as Google; They also uncovered other details about the targets and malware used to infiltrate victims’ operating systems. ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.
Marc-Étienne Léveillé, who researched the water supply attack, says: “The program that enables code execution in the browser is very complex and contains more than 1,000 lines of code. Some of the code has also been found in iOS, including devices such as the iPhone XS and newer models. It’s interesting to see that he got it.”
This campaign is similar to the one that took place in 2020, where the LightSpy iOS malware was distributed in the same way. These campaigns use framework injection on websites to direct Hong Kong citizens to a WebKit program.
The DazzleSpy payload is capable of performing many cyber-espionage actions. It can collect information about the compromised computer. It can search for certain files; It can scan files in Desktop, Downloads and Files folders; can execute given shell commands; can remotely start or end a screen session. It can write a given file to disk.
Given the complexity of the programs used in this campaign, ESET Research concluded that the group behind this operation had strong technical skills. Also found it interesting that the presence of end-to-end encryption in DazzleSpy means that it will not contact the command and control (C&C) server if someone tries to spy on the unencrypted transmission.
Another interesting finding about this threat actor is that the malware converts the current date and time it captured on the compromised computer to the Asian/Shanghai time zone (also known as China Standard Time) before sending it to the C&C server. Also, the DazzleSpy malware contains many Chinese internal messages.
35864
