ESET discovers DazzleSpy, a new macOS spying malware

/in


ESET Research has discovered a new macOS malware spying on visitors to a Hong Kong radio station news site.

According to the cybersecurity research firm, a watering hole attack compromised Hong Kong radio station D100s news website. The attackers served a Safari exploit that installed cyber espionage malware DazzleSpy on site visitors’ Macs.

The vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer, ESET believes.

In fact, ESET says this campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way. 

According to ESET, the payload DazzleSpy is capable of a wide variety of cyber espionage actions. ESET Research can conclude that the group behind this operation has strong technical capabilities.

The watering-hole operations the attackers have pursued show that the targets are likely to be politically active individuals in Hong Kong. The malicious code is capable of collecting a wide variety of sensitive and personal information.

The first report about the watering-hole attacks leading to exploits for the Safari web browser running on macOS was published by Google last November. ESET researchers were investigating the attacks at the same time as Google and have uncovered additional details about both the targets and malware used to compromise the victims. ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code. Its interesting to note that some code suggests the vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer,” says Marc-tienne Lveill, who investigated the watering-hole attack.

“This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit,” he says.

Lveill says the payload DazzleSpy is capable of a wide variety of cyber espionage actions. 

“It can collect information about the compromised computer; search for specified files; scan…

Source…