Get in Touch
0-day in macOS used to deploy spyware as part of a watering hole campaign against website visitors in Hong Kong
Overview
Google’s Threat Analysis Group (TAG) have reported a campaign targeting visitors to pro democracy and news websites in Hong Kong. The threat actor, which Google says is likely to be state-backed, used 2 different exploit chains targeting macOS and iOS to install spyware on victims’ machines.
The macOS exploit chain used a WebKit exploit (CVE-2021-1789) patched in January and a XNU exploit (CVE-2021-30869) patched in September (and reported previously).
The iOS exploit chain was encrypted with the IRONSQUIRREL framework, meaning TAG were unable to analyse it fully but an exploit for CVE-2019-8506 (patched in iOS 12.2) was observed.
Impact
Vulnerable visitors to the websites would have their devices infected with malware which could carry out the following:
– Record audio
– Log Keystrokes
– Device fingerprint
– Access Screen captures
– The ability to upload and download files
– Carry out terminal commands
Affected Products
macOS Mojave (10.14) or Catalina (10.15)
iOS < 12.2
Indicators of Compromise
Delivery URLs
- http://103[.]255[.]44[.]56:8372/6nE5dJzUM2wV.html
- http://103[.]255[.]44[.]56:8371/00AnW8Lt0NEM.html
- http://103[.]255[.]44[.]56:8371/SxYm5vpo2mGJ?rid=<redacted>
- http://103[.]255[.]44[.]56:8371/iWBveXrdvQYQ?rid=?rid=<redacted>
- https://appleid-server[.]com/EvgSOu39KPfT.html
- https://www[.]apple-webservice[.]com/7pvWM74VUSn2.html
- https://appleid-server[.]com/server.enc
- https://amnestyhk[.]org/ss/defaultaa.html
- https://amnestyhk[.]org/ss/4ba29d5b72266b28.html
- https://amnestyhk[.]org/ss/mac.js
JavaScript
cbbfd767774de9fecc4f8d2bdc4c23595c804113a3f6246ec4dfe2b47cb4d34c (capstone.js)
bc6e488e297241864417ada3c2ab9e21539161b03391fc567b3f1e47eb5cfef9 (mac.js)
9d9695f5bb10a11056bf143ab79b496b1a138fbeb56db30f14636eed62e766f8
Sandbox escape / LPE
8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f
df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144
Backdoor
cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8 (2021 sample)
f0b12413c9d291e3b9edd1ed1496af7712184a63c066e1d5b2bb528376d66ebc (2019 sample)
C2
123.1.170.152
207.148.102.208
Threat Landscape
A watering hole campaign is a way of targeting a group of victims by infecting a website that those people are known to visit.
The delivery URLs for this campaign reference Amnesty International, a human rights organisation which recently announced the closure of their Hong Kong office, citing security concerns.
Pro-democracy activists in Hong Kong have previously been targeted by the state as they protest against stronger national security laws.
MITRE Methodologies
T1189 – Drive-by Compromise [watering hole attack]
T1014 – Rootkit
Further Information
Analyzing a watering hole campaign using macOS exploits
About the security content of iOS 14.4 and iPadOS 14.4
About the security content of iOS 12.5.5
About the security content of Security Update 2021-006 Catalina