0-day in macOS used to deploy spyware as part of a watering hole campaign against website visitors in Hong Kong

Home / Threat Intelligence bulletins / 0-day in macOS used to deploy spyware as part of a watering hole campaign against website visitors in Hong Kong

Overview

Google’s Threat Analysis Group (TAG) have reported a campaign targeting visitors to pro democracy and news websites in Hong Kong. The threat actor, which Google says is likely to be state-backed, used 2 different exploit chains targeting macOS and iOS to install spyware on victims’ machines.

The macOS exploit chain used a WebKit exploit (CVE-2021-1789) patched in January and a XNU exploit (CVE-2021-30869) patched in September (and reported previously).

The iOS exploit chain was encrypted with the IRONSQUIRREL framework, meaning TAG were unable to analyse it fully but an exploit for CVE-2019-8506 (patched in iOS 12.2) was observed.

Impact

Vulnerable visitors to the websites would have their devices infected with malware which could carry out the following:
– Record audio
– Log Keystrokes
– Device fingerprint
– Access Screen captures
– The ability to upload and download files
– Carry out terminal commands

Affected Products

macOS Mojave (10.14) or Catalina (10.15)
iOS < 12.2

Indicators of Compromise

Delivery URLs

  • http://103[.]255[.]44[.]56:8372/6nE5dJzUM2wV.html
  • http://103[.]255[.]44[.]56:8371/00AnW8Lt0NEM.html
  • http://103[.]255[.]44[.]56:8371/SxYm5vpo2mGJ?rid=<redacted>
  • http://103[.]255[.]44[.]56:8371/iWBveXrdvQYQ?rid=?rid=<redacted>
  • https://appleid-server[.]com/EvgSOu39KPfT.html
  • https://www[.]apple-webservice[.]com/7pvWM74VUSn2.html
  • https://appleid-server[.]com/server.enc
  • https://amnestyhk[.]org/ss/defaultaa.html
  • https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
  • https://amnestyhk[.]org/ss/mac.js

JavaScript

cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)
9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8

Sandbox escape / LPE

8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f
df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144

Backdoor

cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)

C2

123.1.170.152
207.148.102.208

Threat Landscape

A watering hole campaign is a way of targeting a group of victims by infecting a website that those people are known to visit.

The delivery URLs for this campaign reference Amnesty International, a human rights organisation which recently announced the closure of their Hong Kong office, citing security concerns.

Pro-democracy activists in Hong Kong have previously been targeted by the state as they protest against stronger national security laws.

MITRE Methodologies

T1189 – Drive-by Compromise [watering hole attack]

T1014 – Rootkit

Further Information

Analyzing a watering hole campaign using macOS exploits

About the security content of iOS 14.4 and iPadOS 14.4

About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave

About the security content of iOS 12.5.5

About the security content of Security Update 2021-006 Catalina