DazzleSpy, a piece of malware that attacks macOS, was discovered last fall by researchers at ESET, and now those researchers have released more detailed findings.
DazzleSpy, according to the researchers at ESET, was being spread via watering hole attacks via pro-democracy websites in China. It infected machines using a combination of two vulnerabilities, one in WebKit (the framework that powers Safari) and one in macOS (a privilege escalation vulnerability).
Now, if this sounds familiar, it’s because you’ve been paying attention—this is exactly the same technique as that used by the CDDS (aka Macma) malware that was described by Google in November, even down to spreading through Chinese pro-democracy sites.
The new malware got a foothold via CVE-2021-1789, exploited via a JavaScript file named mac.js
loaded by the malicious site. This led to the in-memory execution of native Mac code, which exploits CVE-2021-30869 to gain root privileges. With this high level of privileges, the malware drops its payload onto the machine.
That payload is a very full-featured backdoor, providing the attacker the capability to run any arbitrary command on the infected Mac, start a remote screen viewing session, download files from the Mac, steal the keychain, send synthetic mouse clicks, etc. The full list of capabilities is a bit different than what Google described for CDDS, but it’s important to keep in mind that arbitrary shell command execution is an extremely powerful capability. Although the DazzleSpy implant doesn’t directly support taking screenshots, for example, that’s not hard to do via the screencapture
command in the shell.
Are CDDS and DazzleSpy the same?
These two pieces of malware are quite different. The code is very different, and the capabilities are different. They’re also very different in terms of what gets installed. CDDS, for example, distributes multiple executable files across a couple different folders, while the DazzleSpy payload is a single, smaller file (which may optionally also install the open-source KeySteal exploit on older systems, in order to steal keychain data).
Thus, there’s little doubt that these are distinctly different malware, written from different code bases.
However, since both were distributed through the same two macOS vulnerabilities, through pro-democracy websites in China, it’s highly likely these are made by the same folks. The most likely scenario is that this is Chinese government malware, being used for the purpose of tracking democracy advocates.
Why there would be a need for two different pieces of malware is unclear. Perhaps there was some dissatisfaction with the CDDS code, so new malware was written. Perhaps both were run concurrently to see which performed better. Perhaps it’s part of a plan to change the code periodically as a means of avoiding detection.
Then again, perhaps the similarities in usage don’t actually indicate anything at all.
Can we blame the Chinese government?
Attribution is hard, and it’s very difficult to say where a particular malware sample originated without a lot of corroborating data. For example, threat actors have been known to insert Chinese- or Russian-language strings into executables in an attempt at misdirection.
However, there’s a long history of suspected Chinese government use of malware to track oppressed groups, spanning many years. To cite one example, a very similar case occurred in early 2012, in which two different pieces of malware were discovered using Java vulnerabilities to infect Macs. Tibet (aka MaControl), discovered in March 2012, and Sabpab, discovered in April 2012, were both used to target Tibetan activists, at a time when Tibetan protests of Chinese government oppression were at a peak.
In the case of DazzleSpy, the presence of Chinese strings in the executable are far from incontrovertible evidence of Chinese government involvement. The pattern of usage, though, makes it extremely likely.
Mac malware gets an early start in 2022
DazzleSpy is actually not the first new Mac malware to appear so far this year, despite the fact that it’s only January. SysJoker coverage appeared a couple weeks before. Discovered by Intezer during an investigation into a Linux server infection, this was the official first Mac malware of 2022. However, there are some questions about whether this is actually in the wild – questions that are borne out by the lack of any detections at all in the wild. This may have been a proof-of-concept for Mac that hadn’t actually been released yet. (Malware creators sometimes upload early builds of their malware to VirusTotal, to see if any antivirus engines detect them, which can lead to discovery of those pre-release programs by researchers.)
It’s too early to make any assumptions about what this means for malware in 2022, though. It’s not uncommon for Mac malware research to follow a pattern of multiple discoveries early in the new year, followed by less frequent discoveries as the year continues.
Conclusion
If you have visited a pro-democracy Chinese website and think you might be infected, run a scan with Malwarebytes. It will detect this as OSX.DazzleSpy.
Alternately, you can also look for it manually. The items you’re most likely to see are:
/var/root/Library/LaunchAgents/com.apple.softwareupdate.plist /var/root/.local/
This plist file and the .local
folder are created by the malware when run as root, and the vulnerabilities used to drop the malware do involve root escalation. This is also a good place to drop these files, as it’s a location you cannot view within the Finder. You can only access the contents of
/var/root/
by using something that operates as the root user, such as sudo
on the command line.
However, it’s also possible the malware could get dropped into the user folder, in which case you’ll see these paths instead:
~/Library/LaunchAgents/com.apple.softwareupdate.plist ~/.local/