ESET researchers analyze special macOS spy software: DazzleSpy attacks visitors of pro-democracy news site in Hong Kong by executing itself as an exploit and implanting itself in the site visitor.
Hong Kong radio station D100's website was compromised. A Safari exploit runs that installs spyware on the Macs of news portal visitors. The "watering hole" operations carried out by the attackers indicate that the targets are likely politically active, pro-democracy figures in Hong Kong. The ESET researchers have named the spy program DazzleSpy and examined it in more detail. The malware is capable of collecting a wide range of sensitive and personal information.
Targeted watering hole operations
“The exploit used to execute code in the browser is quite complex, involving more than 1.000 lines of code. Interestingly, some of them suggest that the vulnerability could also be exploited on iOS. This would then also affect devices like the iPhone XS and newer variants,” says Marc-Étienne Léveillé, malware researcher at ESET who investigated the watering hole attack.
The first report on the watering hole attacks leading to exploits for the Safari web browser on macOS was published by Google last November. ESET researchers investigated the attacks at the same time as Google and have uncovered additional details about the targets and the malware used to compromise victims. The vulnerability has now been patched.
This campaign shares similarities with the 2020 iOS malware campaign LightSpy. Here, visitors to a website from Hong Kong were led to a WebKit exploit using the HTML element iframe.
DazzleSpy collects information about its targets
DazzleSpy spy program is capable of performing a variety of actions. The malware can collect information about the compromised computer, search for specific files, scan files in the Desktop, Downloads, and Documents folders, execute bundled shell commands, start or end a remote screen session, and open a bundled file write to disk.
Given the complexity of the exploits used in this campaign, ESET researchers concluded that the group behind this operation has high technical capabilities. Also interesting is that DazzleSpy enforces end-to-end encryption. As a result, the malicious program does not communicate with its command and control (C&C) server if someone tries to eavesdrop on the unencrypted transmission.
Another interesting finding about the hackers behind Dazzlespy is that once the malware obtains the current date and time on a compromised computer, it converts the captured date to the Asia/Shanghai time zone before sending it to the C&C server sends. In addition, the DazzleSpy malware contains a number of Chinese-language internal messages.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.