OSX.DazzleSpy is a new macOS implant targeting Hong Kong pro-democracy websites. It affects the Safari browser on macOS and it’s used for cyber espionage. Researchers Marc-Etienne M.Léveillé and Anton Cherepanov of ESET published the report. It affects versions of Safari prior to 14.1.
DazzleSpy Mac Malware
Felix Aimé from SEKOIA.IO discovered that one of the websites used to spread the exploit was a fake website targeting Hong Kong activists. The page hosted on the malicious amnestyhk[.]org domain checks for the installed macOS version and redirects to the next stage if the browser is running on macOS 10.15.2 or newer. The next stage, named 4ba29d5b72266b28.html loads the JavaScript containing the exploit code – mac.js.
The exploit is complex with over 1,000 lines of code. It appears that some code that could have targeted iOS such as the iPhone XS and newer was commented out. A patch identified by Google TAG does fix the vulnerability. The payload delivered to vulnerable visitors to the D100 site was new macOS malware dubbed DazzleSpy.
DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer. DazzleSpy connects to a hardcoded C&C server; the IP address and port found in the sample was 88.218.192[.]128:5633. At first, the malware performs a TLS handshake, then uses a custom protocol to exchange JSON objects to deliver commands from the C&C server to compromised Macs.
A self-signed certificate protects the malware’s communications from potential eavesdropping by refusing to send data if end-to-end encryption is not possible. The team shared a list of commands used by the C&C server. One command called “info” can collect:
- Hardware UUID and Mac serial number
- Username
- Information about disks and their sizes
- macOS version
- Current date and time
- Wi-Fi SSID
- IP addresses
- Malware binary path and MD5 hash of the main executable
- Malware version
- System Integrity Protection status
- Current privileges
- Whether it’s possible to use CVE-2019-8526 to dump the keychain
This DazzleSpy campaign has similarities with one from 2020 where LightSpy iOS malware (described by TrendMicro and Kaspersky) was distributed the same way.