Select Page

A previously undocumented cyber-espionage malware aimed at Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong.

Slovak cybersecurity firm ESET attributed the intrusion to an actor with “strong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021.

The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021. Separately, a fraudulent website called “fightforhk[.]com” was also registered for the purpose of luring liberation activists.

In the next phase, the tampered code acted as a conduit to load a Mach-O file by leveraging a remote code execution bug in WebKit that was fixed by Apple in February 2021 (CVE-2021-1789). “The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely,” ESET researchers said.

The success of the WebKit remote code execution subsequently triggers the execution of the intermediate Mach-O binary that, in turn, exploits a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as a root user.

images from Hacker News