Now-Patched DazzleSpy Mac Malware Allowed Screen Captures, Root Privileges, More

BY Chandraveer Mathur

Published 27 Jan 2022

Earlier this week, Apple paid a cybersecurity student a record-high bug bounty for discovering an iCloud and Safari vulnerability that allowed bad actors to hack webcams and subsequently attack Apple devices. Although the company has since patched the vulnerability, cybersecurity experts have now shared details about the remarkably similar DazzleSpy Mac malware that was found operating in the wild.

The DazzleSpy malware was essentially a watering hole attack seemingly used by Chinese entities to target democracy activists in Hong Kong. First discovered by researchers at ESET, the malware was subsequently documented by the Google Threat Analysis Group (TAG).

DazzleSpy is categorized as a watering hole attack because it is deployed where targets with shared interests gather online. The gathering could be in chat groups, forums, and on websites. In this instance, the malware targeting Macs was initially propagated through a fake pro-democracy website and later through a real one.

When TAG made information about DazzleSpy public in November, it noted that the malware was distributed through the Hong Kong websites of a media outlet (The D100 radio station’s website) and an established pro-democracy political group. It added that the attack exploited a privilege escalation vulnerability in macOS Catalina to install a then-unreported backdoor.

DazzleSpy fake website

A fake website used to distribute the DazzleSpy malware

In a detailed blog post, ESET researchers explain that the malware was scripted in over 1,000 lines of code. It first downloaded a file from the website URL provided as an argument. Then, it decrypted the file and wrote the contents to a temporary directory to create an executable. It then used the privilege escalation exploit to remove specific file attributes, so user consent isn’t required to launch the unsigned executable. It then launched the executable with root privileges.

Once the bad actors had root-level access to the victim’s computer, the injected malware allowed them to search files, enumerate them, and exfiltrate them, besides the usual capabilities such as renaming, deleting, moving files, etc. The malware also allowed remote initiation and termination of screen-sharing sessions. The attackers could also execute shell commands and write more malicious files to the victim’s storage.

Based on DazzleSpy’s code, Google’s team speculated that the threat actor was a “well-resourced group” with access to a dedicated software engineering team. ESET found Chinese lines in the code. DazzleSpy also converted the timestamps for the victim’s information to Shanghai’s time zone, corroborating Google’s speculation that the group was probably Chinese and backed by the state.

Thankfully, Apple has patched these vulnerabilities. Yet again, penetrative malware like DazzleSpy serves as a reminder to ensure you’re running the latest version of iOS and macOS. The updates could contain critical security fixes that could safeguard your privacy and data.