Google’s Threat Analysis Group (TAG) discovered that cybercriminals targeting visitors to Hong Kong sites were exploiting a previously unknown, or zero-day, bug in macOS to snoop on them.
Apple fixed the flaw, known as CVE-2021-30869, in a macOS Catalina release in September, almost a month since Google TAG researchers discovered it.
“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple stated that the bug was discovered by Google TAG researchers.
Google has now supplied further details, stating that it was a “watering hole” assault, in which attackers choose websites to hack based on the characteristics of usual users. The assaults were aimed at Mac as well as iPhone users.
“The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server — one for iOS and the other for macOS,” said Erye Hernandez of Google TAG.
The watering hole exploited an unfixed XNU privilege escalation flaw in macOS Catalina at the time, resulting in the download of a backdoor.
“We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” he added.
The attackers used the previously revealed XNU hole, CVE-2020-27932, and a similar exploit to build an elevation of control problem that granted them root privileges on a target Mac.
Once the attackers got root access, they installed a payload that operated silently in the back on affected Macs. As per Google TAG, the malware’s architecture signals a well-resourced adversary.
“The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules,” notes Hernandez.
The backdoor had the usual suspicious characteristics of malware designed to spy on a victim, such as a device fingerprinting, screengrabs, the capacity to upload and download data, and the ability to implement terminal commands. In addition, the spyware could intercept audio and track keystrokes.
Google did not reveal the websites that were targeted but did say that they comprised a “media outlet and a prominent pro-democracy labor and political group” relating to Hong Kong affairs.