ESET Research discovers DazzleSpy: macOS malware spying on visitors of Hong Kong pro-democracy news site

Next story
  • A watering hole attack compromised a Hong Kong pro-democracy radio station news website.
  • The attackers served a Safari exploit that installed cyberespionage malware DazzleSpy on site visitors’ Macs.
  • Targets are likely to be politically active, pro-democracy individuals in Hong Kong.
  • The vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer. In fact, this campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way.
  • The payload – DazzleSpy – is capable of a wide variety of cyberespionage actions.
  • ESET Research can conclude that the group behind this operation has strong technical capabilities.
  • The malware uses China Standard Time and contains a number of internal messages in Chinese.

BRATISLAVA, MONTREAL — January 25, 2022 — ESET researchers have discovered that the news website of Hong Kong pro-democracy radio station D100 was recently compromised to serve a Safari exploit that installed cyberespionage malware on site visitors’ Macs. The watering-hole operations the attackers have pursued show that the targets are likely to be politically active, pro-democracy individuals in Hong Kong. The malware delivered to vulnerable visitors of the site was new macOS malware ESET has named DazzleSpy. The malicious code is capable of collecting a wide variety of sensitive and personal information.

The first report about the watering-hole attacks leading to exploits for the Safari web browser running on macOS was published by Google last November. ESET researchers were investigating the attacks at the same time as Google and have uncovered additional details about both the targets and malware used to compromise the victims. ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code. It’s interesting to note that some code suggests the vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer,” says Marc-Étienne Léveillé, who investigated the watering-hole attack.

This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit.

The payload – DazzleSpy – is capable of a wide variety of cyberespionage actions. It can collect information about the compromised computer; search for specified files; scan files in Desktop, Downloads, and Documents folders; execute the supplied shell commands; start or end a remote screen session; and write a supplied file to disk. 

Given the complexity of the exploits used in this campaign, ESET Research can conclude that the group behind this operation has strong technical capabilities. It’s also interesting that end-to-end encryption is enforced in DazzleSpy meaning it won’t communicate with its command and control (C&C) server if anyone tries to eavesdrop on the unencrypted transmission.

Among other interesting findings about this threat actor is that once the malware obtains the current date and time on a compromised computer, it converts the obtained date to the Asia/Shanghai time zone (aka China Standard Time), before sending it to the C&C server. In addition, the DazzleSpy malware contains a number of internal messages in Chinese.

For more technical details about this watering-hole attack and the DazzleSpy malware, read the blogpost “Watering hole deploys new macOS malware, DazzleSpy, in Asia”  on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn,Facebook, and Twitter.

MENUCLOSE
ESET Smart Security Premium box

Ultimate
protection

ESET Smart Security Premium

Advanced
protection

ESET Internet Security

Essential
protection

ESET NOD32 Antivirus

Small and Home  office protection

Easy-to-use device security with advanced privacy features

ESET Mobile Security for Android

Keep your Android device safe. Wherever you go

ESET Parental Control for Android

Protect your children online with confidence

ESET Smart TV Security box

ESET Smart TV Security

Internet of Things security starts with your TV

Renew my license

Renew, upgrade or add devices to your license

Existing
 customer?

Manage your license, update date and more

Download

Install your protection or try ESET free for 30 days

Download

Install your business protection or request a free trail

Why ESET?

Superior technology

Learn more about our unified cybersecurity platform

Industry recognition

ESET cybersecurity solutions are recognized and industry-wide.

Corporate blog

Cybersecurity news from ESET's award-winning researches.

Customer zone

Existing
customer?

Manage your license, update billing information and more

Live chat

Need help purchasing, renewing a license or have product questions?

Business sales

for business customers

For business sales call:

1-844-824-3738

MONDAY - FRIDAY, 6AM - 5PM PT