DazzleSpy Malware

A potent, fully-fledged iOS and macOS backdoor threat named DazzleSpy was deployed in watering-hole attacks against Honk Kong citizens with pro-democracy leanings. The attacks were first noticed by Google TAG, who informed Apple about them. To spread the malware threat, the cybercriminals set up a fake website, which was reported by Felix Aimé from SEKOIA.IO. They also compromised the official radio station website of D100, an online, pro-democracy radio. More details about the threat, the potential attackers, and the employed infection chain were made available in a report by researchers.

According to their findings, the previously unknown backdoor can recognize numerous different commands from its operators and establish numerous invasive routines on the compromised systems. Depending on the goals of the attackers, DazzleSpy can exfiltrate specifically chosen files, enumerate running processes, enumerate files in the Dekstop, Documents, and Downloads directories, execute arbitrary shell commands, manipulate the files system, and more. DazzleSpy, as its name suggests, also is capable of spying on the victim by logging mouse events, as well as starting or ending remote sessions. In addition, the threat carries out the necessary tasks to abuse the CVE-2019-8526 vulnerability.

C2 Communication and Attribution

The backdoor also makes sure no one is spying on its communication with the Command-and-Control (C2, C&C) server of the attack. First, DazzleSpy utilizes end-to-end encryption for its messages. Separately, the threat inserts a TLS-inspection proxy that stands between the infected devices and the C2 server. If an unknown entity is detected to eavesdrop, DazzleSpy will not make a communication attempt.

So far, there are no conclusive leads establishing the cybercriminal group responsible for the DazzleSpy attacks. However, the nature of the operation and the fact that the infosec researchers found several internal messages in Chinese may be a clue. The operation also exhibits significant similarities to a watering-hole attack that took place in 2020. Back then, the threatening activity was attributed to an APT (Advanced Persistent Threat) group tracked as TwoSail Junk. The hackers targeted Hong Kong citizens with the LightSpy iOS malware that was propagated through website iframe injection techniques.