Google TAG’s @eryeh published about similar activity in November. They reported the LPE vulnerability (CVE-2021-30869) to Apple and it was patched late September in macOS and iOS.
https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/ … 2/7pic.twitter.com/XlAvHQF5Ag
-
-
Show this thread
-
#ESETResearch was also looking at that threat at the same time. Our article contains a deep analysis of the WebKit/JSC exploit and a description of the payload we obtained, DazzleSpy, which is different from Google’s research. 3/7Show this thread -
If you are curious about how code execution was gained from Safari, the article contains the details about how address leakage and arbitrary memory read and write were obtained from the JavaScript engine using type confusion. 4/7pic.twitter.com/2ukVAdxNKu
Show this thread -
DazzleSpy (named osxrk by its author) is Mac malware we haven’t seen before. Its features include gathering information about the system, search, download and upload files, exfiltrate the keychain and provide access to the perpetrator via remote desktop. 5/7pic.twitter.com/ToaMlxH9Hj
Show this thread -
F3772A23595C0B51AE32D8E7D601ACBE530C7E97 95889E0EF3D31367583DD31FB5F25743FE92D81D EE0678E58868EBD6603CC2E06A134680D2012C1B amnestyhk[.]org 88.218.192[.]128 http://github.com/eset/malware-ioc/blob/master/dazzlespy … 6/7
Show this thread -
Bonus! : Notice that the DazzleSpy C&C server from the sample is down, but the following is still reachable at the time of writing: 185.130.214[.]111:4443.
#ESETresearch 7/7Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.