A watering-hole attack on Hong Kong websites was infecting site visitors with novel Mac malware that could steal data, record audio and more, revealed researchers with Google's Threat Analysis Group (TAG).
Watering-hole attacks aim to compromise a specific group of users by infecting websites they typically visit and luring them to the malicious site. This particular attack leveraged an XNU privilege-escalation vulnerability (CVE-2021-30869) that led to the installation of a previously unreported backdoor on victims' systems. While at the time of attack (late August) the vulnerability was unpatched in macOS Catalina, Apple fixed the flaw in a Sept. 23 security update.
Erye Hernandez, researcher with Google TAG, said the watering-hole attacks impacted websites for an unnamed media outlet and a prominent pro-democracy labor and political group. It's not clear how websites were initially compromised. When they obtained the exploit chain, researchers found a parameter recording the number of exploitation attempts, revealing over 200 attempts.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” said Hernandez in a Thursday analysis.
The compromised websites contained two iframes that served exploits from an attacker-controlled server: one for iOS and one for macOS. Researchers were unable to uncover the full exploit chain for iOS; however, they discovered that it leveraged a type confusion issue (CVE-2019-8506) to achieve code execution in Safari. Researchers also found that the exploit chain utilized Ironsquirrel, which is an open-source framework that delivers encrypted browser exploits to the victim’s browser. Ironsquirrel was previously seen by researchers with Volexity in watering-hole attacks in 2019 that targeted Apple iOS devices.
The macOS exploit, meanwhile, used a different framework than Ironsquirrel. In this attack, researchers observed a simple HTML page loading two scripts. The first loading script was used for the exploit chain. This exploit chain combined a remote code execution flaw in WebKit (CVE-2021-1789), previously patched on Jan. 5, and the local-privilege escalation vulnerability (CVE-2021-30869) in XNU, an operating system kernel developed by Apple. The latter flaw stems from a type confusion issue that could allow malicious applications to execute arbitrary code with kernel privileges.
“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code."
The other loading script was for public tool Capstone.js, which is a port of the Capstone disassembler framework for JavaScript. While Capstone is typically used for binary analysis, the attackers here utilized it to search for the addresses of dlopen and dlsym in memory. After the WebKit RCE succeeded, an embedded Mach-O binary would be loaded into memory - here, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory.
The attack delivered Mac malware called OSX.CDDS (so named due to its tasking strings), which was loaded in the background of victims’ machines via launchtl.
“The payload seems to be a product of extensive software engineering,” Hernandez said. “It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2.”
The malware also contains several components, some of which seem to be configured as modules, for carrying out functionalities. These capabilities include victim device fingerprinting, screen capture, file download and upload, executing terminal commands, audio recording and keylogging.
In deep-dive research into a 2021 implant sample of OSX.CDDS, Mac security researcher Patrick Wardle found that the malware drops a new tool called kAgent, which is a simple keylogger that leverages event taps via the Core Graphics frameworks - often used by certain types of keylogging and accessibility software - in order to intercept user keystrokes. Wardle noted that the implant “currently remains undetected by all of the anti-virus engines on VirusTotal.”
Apple flaws have previously been leveraged as part of watering-hole attacks, including the discovery by Google of hacked sites in 2019 being used in watering-hole attacks against their visitors, using an iPhone zero-day.