This tactic is being used in Asia to target pro-democracy activists. According to initial reports several pro-democracy sites were either created or compromised for the explicit purpose installing malware that would spy on the person’s activities. The attack chain is simple, a poisoned iframe is inserted into a site. The link in the iframe checks the version of macOS checking to see if it 10.15.2 or newer. If it is then a JavaScript is run.
While the injection method is simple, the exploit for WebKit is not (Safari Versions 14.0 and older). According to the ESET researchers, the exploit they observed is around 1,000 lines of code. The payload creates two primitives to gain read/write access to memory. One leaks the address of addrof and the other to create a fake JavaScrpt. The two arrays overlap in memory so they can set a variable in one that becomes an access pointer when talking to the other. Leveraging existing functions in the way JIT (Just In Time) complied code gets enumerated the malware can move on to the next stage. The next stage of the attack is to elevate privileges to root so that the final payload can be delivered and persistence setup.
In the case of the researchers at ESET, they found a backdoor (dazzlespy) that allows a significant level of control over the target system. It maintains persistence by adding a Plist (Property List file) named com.apple.softwareupdate.plist to the Launcher Agents folder.
Overall, this looks like a sophisticated, yet quickly implemented campaign targeting pro-democracy individuals. The watering hole technique makes this very clear while the sophistication of the malware shows that this is potentially a technically advanced group (possible state-level). Even though this campaign did not appear to be used outside of a particular region and target group, it shows the level of control that can be gained through two distinct vulnerabilities inside macOS Fortunately, Apple has already released patches to fix the vulnerabilities used in both the WebKit exploit and the privilege exploit. If you have not patched or updated your OS, we highly recommend you do so now.