![team os malware team os malware](https://media.wired.com/photos/5efcb2e0d916dc1ac6a5a6e3/master/pass/Security_MacOS_1139417587.jpg)
“It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2.”
#TEAM OS MALWARE SOFTWARE#
“The payload seems to be a product of extensive software engineering,” Hernandez said. The attack delivered Mac malware called OSX.CDDS (so named due to its tasking strings), which was loaded in the background of victims’ machines via launchtl.
#TEAM OS MALWARE PATCH#
After the WebKit RCE succeeded, an embedded Mach-O binary would be loaded into memory - here, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory. While Capstone is typically used for binary analysis, the attackers here utilized it to search for the addresses of dlopen and dlsym in memory. The other loading script was for public tool Capstone.js, which is a port of the Capstone disassembler framework for JavaScript. “Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code."
#TEAM OS MALWARE CODE#
The latter flaw stems from a type confusion issue that could allow malicious applications to execute arbitrary code with kernel privileges. 5, and the local-privilege escalation vulnerability (CVE-2021-30869) in XNU, an operating system kernel developed by Apple. This exploit chain combined a remote code execution flaw in WebKit (CVE-2021-1789), previously patched on Jan. The first loading script was used for the exploit chain.
![team os malware team os malware](https://i2.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2015/06/facebook-pgp.jpg)
In this attack, researchers observed a simple HTML page loading two scripts. The macOS exploit, meanwhile, used a different framework than Ironsquirrel. Ironsquirrel was previously seen by researchers with Volexity in watering-hole attacks in 2019 that targeted Apple iOS devices. Researchers also found that the exploit chain utilized Ironsquirrel, which is an open-source framework that delivers encrypted browser exploits to the victim’s browser.
#TEAM OS MALWARE FULL#
Researchers were unable to uncover the full exploit chain for iOS however, they discovered that it leveraged a type confusion issue (CVE-2019-8506) to achieve code execution in Safari. The compromised websites contained two iframes that served exploits from an attacker-controlled server: one for iOS and one for macOS. “Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” said Hernandez in a Thursday analysis. When they obtained the exploit chain, researchers found a parameter recording the number of exploitation attempts, revealing over 200 attempts. It's not clear how websites were initially compromised. 23 security update.Įrye Hernandez, researcher with Google TAG, said the watering-hole attacks impacted websites for an unnamed media outlet and a prominent pro-democracy labor and political group. While at the time of attack (late August) the vulnerability was unpatched in macOS Catalina, Apple fixed the flaw in a Sept. This particular attack leveraged an XNU privilege-escalation vulnerability (CVE-2021-30869) that led to the installation of a previously unreported backdoor on victims' systems.
![team os malware team os malware](https://news.sophos.com/wp-content/uploads/2021/02/sophos-conti-ransomware-web-banner-1200x628px-option-2-1.png)
Watering-hole attacks aim to compromise a specific group of users by infecting websites they typically visit and luring them to the malicious site. A watering-hole attack on Hong Kong websites was infecting site visitors with novel Mac malware that could steal data, record audio and more, revealed researchers with Google's Threat Analysis Group (TAG).