Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Booby-trapped Sites Delivered Potent New Backdoor Trojan To macOS Users (arstechnica.com) 34

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website. From a report: The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include: victim device fingerprinting, screen capture, file download/upload, execute terminal commands, audio recording, and keylogging. Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy -- as well as the exploit chain used to install it -- is impressive. It also doesn't appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual. "First, they seem to be targeting Macs only," Eset researcher Marc-Etienne M.Leveille wrote in an email. "We haven't seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant."
This discussion has been archived. No new comments can be posted.

Booby-trapped Sites Delivered Potent New Backdoor Trojan To macOS Users

Comments Filter:
  • Why not tell us... (Score:5, Insightful)

    by dark.nebulae ( 3950923 ) on Thursday January 27, 2022 @02:37PM (#62212803)

    Why just post about the exploit and it's unique Mac target?

    Why not tell us how you get infected and how you avoid it?

    • Looks like it exploits Safari versions prior to 14.1, and macOS 10.15.2 and newer, and supposedly this patch [github.com] from over a year ago fixes it. But there might be newer versions of the exploit.
      • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday January 27, 2022 @03:20PM (#62212959) Homepage Journal

        Unfortunately Apple's approach to backwards compatibility (fuck it) means lots of Apple users can't upgrade or they lose access to software.

    • by vlad30 ( 44644 )
      "there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong"

      the article is fairly detailed and further info in a link at the end and without saying exactly who it is it's not hard to guess the organisation who wrote it also fact it targets versions that are at least 1 year old, suggests Apples recent investment in China has reaped its first reward

  • Here's how to check (Score:5, Informative)

    by SuperKendall ( 25149 ) on Thursday January 27, 2022 @02:37PM (#62212805)

    You had to follow that Slashdot link, to secondary link [welivesecurity.com], that actually had the "indicators of compromise" to look for (that link also has more detail on how the compromise works).

    But, a brief summary of some files to look for that indicate potential compromise include:

    $HOME/Library/LaunchAgents/com.apple.softwareupdate.plist
    $HOME/.local/softwareupdate
    $HOME/.local/security.zip
    $HOME/.local/security/keystealDaemon
    $HOME/.local/security/libkeystealClient.dylib

    (at least that's what the article says). It also has a few other things.

  • by account_deleted ( 4530225 ) on Thursday January 27, 2022 @02:40PM (#62212819)
    Comment removed based on user account deletion
    • I'm not sure why the Webkit engine can access kernel space. Does it run as root, or does it have some role-based access to the kernel?

      Nope, just a classic privilege escalation bug in Mach handling of ports, more details here (linked to from the Slashdot article linked to).

      Search for "adjust_port_type".

  • The level of moral detachment coupled with well-trained professionalism is quite disturbing.

    • by XXongo ( 3986865 ) on Thursday January 27, 2022 @03:22PM (#62212969) Homepage
      I'm puzzled by the article failing the credit the originators.

      The article says Google "believe this threat actor to be a well-resourced group, likely state-backed"...

      Yeah, right.
      1. It was specifically targeted to people interested in a site "Democracy for Hong Kong",
      2. When it contacts home base to sen information on a compromised computer, it sends the time in Chinese Standard Time. (Ref: https://www.welivesecurity.com... [welivesecurity.com] )
      3. username wangping appears in paths embedded in the binary (same reference)

      I think you might reasonably give credit to China for this exploit.

    • "One man's villain is another man's hero, Captain."
      – Dukat, 2373 ("By Inferno's Light")

  • by dark.nebulae ( 3950923 ) on Thursday January 27, 2022 @03:06PM (#62212899)

    From TFA:

    While advanced and potentially dangerous, there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong. That means readers should remember the chances of being infected are extremely low for everyone else.

    • by XXongo ( 3986865 )
      Yeah, right, because of course if they build a weapon to attack one group, it's impossible for them to use it against anybody else.
      /sarcasm>
  • It just works!
    • Engineered for security!
    • It just works!

      It does! Until it doesn't!

      I recently put a new HDD into an old 27" iMac, in which the old drive was very, very sick. It would boot the main OS, but not recovery. Managed to get a Time Machine backup after 19 hours. Did the thing with the suction cups and the torx screws in strange places and the thermal sensor, got the new drive in there. Simply do the internet recovery, which is supported on this model, and... oops! You have to upgrade the SMC, by upgrading your OS, to get that function to work. OK,

      • by gtall ( 79522 )

        " Being Apple, it's probably browser-independent too, since aren't all browsers on Apple basically using the same engine?'

        I think that is true for IOS, but not for MacOS.

        • It is indeed true for iOS but not for macOS.

          On the other hand, there's only really three rendering engines left on macOS:
          - WebKit (Safari)
          - Blink (Chrome, Edge, Opera)
          - Gecko (Firefox)

          And since Blink is a (now distant) fork of WebKit, they do share some percentage of code, so there's really only two-and-a-half rendering engines when you think about it.

  • Everyone's shit on Windows so much that even the hackers have bought the line, and aren't even bothering, since 'everyone' is apparently on a Mac or something else.

    Windows is going to become the safest OS!

    • I think it's more like all the Win machines has already been hacked, so no challenge there ;-)

    • ...since 'everyone' is apparently on a Mac or something...

      Considering the numbers Apple released today you might think that's the case.

  • I know, they mean OS X, But it would be like saying they found a new Flaw in DOS, or perhaps NT

    • by CompMD ( 522020 )

      OS X has not been around for a few years, it has been called macOS lately. Importantly, its not version 10 (X) anymore: Big Sur was 11, and Monterey is 12.

    • They did not mean OS X, because that's not been the name of the Mac operating system for seven years now: https://en.wikipedia.org/wiki/... [wikipedia.org]

      Mac OS = System 9 and below (1984 to 1999, now also known as "Classic Mac OS")
      Mac OS X = Versions 10.0 to 10.7 (2001 to 2011)
      OS X = Versions 10.8 to 10.11 (2012 to 2015)
      macOS = Versions 10.12 and up (2016 and up)

      • And as CompMD mentions, it's not macOS 10.x anymore, they stopped the 10.x number version at 10.15 with Catalina, the next one was macOS 11 Big Sur and we're now at macOS 12 Monterey. I wonder where that decision comes from and if it was triggered by Microsoft jumping ahead to Windows 10 at the time.

  • TFA mentions it appeared only to target pro-democracy sites in Hog Kong. If true, that is a pretty directed attack. I would infer from that there was some specific persons they were targeting and knew the targets used Macs. Of course, that doesn't mean t can't be recycled; although Apple apparently has patched the exploit.
  • --This is an excellent reason to browse from a VM running TOR and maybe TAILS ISO. Keeps the host system from getting infected, and everything is transient.

Wherever you go...There you are. - Buckaroo Banzai

Working...