Mac Zero-Day Alert: Watering Hole Attacks in the WildHong Kong Users of macOS and iOS Targeted by a New Backdoor Malware
Google’s Threat Analysis Group has released details of a watering hole campaign targeting a macOS zero-day exploit chain to install a never-before-seen malware on devices of users visiting "Hong Kong websites of a media outlet and a prominent pro-democracy labor and political group," says Erye Hernandez of Google Threat Analysis Group in her security blog post for Google TAG.
Apple patched this zero-day vulnerability tracked as CVE-2021-30869 in the macOS for Catalina, Big Sur 11.2 and Mojave, iOS 12.5.5, on Sept. 23. This was about a month after Google TAG researchers Hernandez and Clément Lecigne, along with Ian Beer of Google Project Zero, discovered it was being exploited in the wild. "Apple is aware of reports that an exploit for this issue exists in the wild," the company acknowledged in its security update release note.
Google and Apple have not attributed this campaign to any of the known threat actors, but analyzing the quality of the payload code used during the campaign, the threat actor(s) are "likely state-backed" and a well-resourced group, Hernandez says
The Exploit Chain
If exploited, "a malicious application may be able to execute arbitrary code with kernel privileges," was the only description that Apple mentioned in its the security update. But Google has now clarified that the vulnerability was actually a "watering hole" attack campaign specifically targeting macOS and iOS users.
The exploit chain included a remote code execution flaw in the WebKit exploiting CVE-2021-1789, which was originally patched on Jan. 5, 2021, months before the discovery of this campaign. This RCE coupled with the zero-day local privilege escalation in XNU vulnerability completed the exploit chain.
Beer had analyzed a similar port-type confusion vulnerability in the XNU kernel now tagged under CVE-2020-27932, in October 2020. He realized that the initial exploit in the current exploit chain was a variant of his previously fixed flaw, says Hernandez, who adds that an exact exploit was presented by Pangu Lab in a public talk at zer0con21 in April 2021 and the Mobile Security Conference - or MOSEC - in July 2021.
Pangu Lab has not yet responded to Information Security Media Group's request for comment on whether it reported the vulnerability to Apple.
The exploits were observed leveraging malicious websites through two iframes from an attacker-controlled server, Hernandez says. Of these, one was used for iOS and the other for macOS, he adds.
On successful execution of the exploit chain, a threat actor can execute arbitrary code with kernel privileges in macOS Catalina, Apple says. Once the attackers have gained these unrestricted privileges, they download a payload on the victim's machine that runs in the background without raising any alerts, Hernandez says.
Before initiating the malware installation process, the payload checks which version of macOS - Mojave (10.14) or Catalina - is running on the target device, indicating that the attack was designed to target macOS Mojave as well, Hernandez says. When Google TAG researchers visited a rigged site using Mojave, he adds, they only saw "remnants of an exploit," but they received the entire non-encrypted exploit chain when they browsed the site with Catalina.
The downloaded payload is then run on the victim's machine through launchctl, a service management framework for macOS. "Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. Adversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons," according to The MITRE Corp.
The payload or the backdoor malware, dubbed "MACMA" by Google TAG researchers, has never been seen before, Hernandez says. "[It] seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service - or DDS - framework for communicating with the command-and control-servers."
The backdoor has several components, but some of the most noteworthy ones observed by the Google TAG researchers include victim device fingerprinting, screen capture, file download and upload, executing terminal commands, audio recording, and keylogging.
Patrick Wardle, an Apple security expert who independently analyzed this malware in detail - he calls it "OSX.CDDS" - confirmed these backdoor features too. He says that a version of the malware drops a new tool named "kAgent" [SHA-1: D811E97461741E93813EECD8E5349772B1C0B001] into the "~/Library/Preferences/Tools" directory. This tool is "a simple keylogger that leverages Core Graphics Event Taps to intercept user keystrokes," Wardle says.
The Google TAG researchers have noted a host of indicators of compromise, including the IP addresses of the C2 servers and the list of websites leveraged for the attacks, in their security blog, and the Google search engine giant has added this list of 10 URLs used for the malware's delivery to its blacklisting service Safe Browsing. Those who try to access the website receive a warning saying: "The site ahead contains a malware."
"Attackers currently on [website name] might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards)," says the warning message on one of the URLs that ISMG editors viewed.