Google’s Threat Analysis Group (TAG) has published details of a watering hole campaign that deployed macOS zero-day exploit chain to install a previously undocumented malware on devices of users who visited Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.
Discovered in late August, the campaign exploited an XNU privilege escalation vulnerability (CVE-2021-30869) together with CVE-2021-1789 (a remote code execution bug in WebKit that was fixed in February 2021) to escape from the Safari sandbox, elevate privileges, and download and execute a second stage payload named "MACMA" from a remote server.
CVE-2021-30869 resides within the XNU subsystem in macOS and can be exploited by a local attacker to execute arbitrary code with elevated privileges by triggering a type confusion error using a malicious program. Apple patched this vulnerability on September, 23, 2021.
The MACMA malware “seems to be a product of extensive software engineering,” TAG researcher Erye Hernandez said in a report. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the command-and-control server, and has a slew of capabilities, including victim device fingerprinting, screen capture, file download/upload, executing terminal commands, audio recording, and keylogging.
The researchers said that iOS users were also targeted in this attack, albeit using a different exploit chain, which the research team was not able to fully determine.
As for the perpetrator behind the attack, Google said it believes that the campaign was launched by “a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.”