Security researchers have once again published information on Dazzlespy, malware for Mac which allows remote monitoring of keyboard keys, screenshot, access to webcam, microphone, etc..Initially, DazzlesPy was used to target militants for democracy in Hong Kong, first through a false website, then through a real website, as part of a so -called attack "Watering Hole "...

Malware reported in November 2021

If you follow us regularly, it must remind you of this student who managed to hack the Mac camera before reporting it to Apple and pocket $ 100,000.But Dazzlespy was operated by several people through the planet.Google's threat analysis group (TAG) reported the attack for the first time in November of last year:

"Watering Hole" type attacks are so named because they focus on sites that concentrate the influx of visitors.

New information on Dazzlespy malware for Mac

Although Google revealed some details at the time, it turns out that it was ESET's security researchers who discovered it first, and the company has now published more detailed information.We learn that the affected firmwares are macOS 10.15.3 and superiors, macOS 11 Big on included.Determine the origin of the attack has not been very complicated:

The code also contains Chinese, and the dates and hours of information returned to the server is converted into the time zone of Shanghai.The attack used a feat of the webkit rendering engine used in Safari.The feat is complex - with more than 1,000 lines of code - it is therefore necessary to read the full article in English for a detailed understanding, but the simplified process is as follows:

1. Télécharger un fichier à partir de l'URL fournie en argument
2. Décrypter ce fichier en utilisant AES-128-EBC et TEA avec un delta personnalisé
3. Écrire le fichier résultant dans $TMPDIR/airportpaird et le rendre exécutable
4. Utiliser l'exploit d'escalade des privilèges pour supprimer l'attribut com.apple.quarantine du fichier afin d'éviter de demander à l'utilisateur de confirmer le lancement de l'exécutable non signé
5. Utiliser la même escalade de privilèges pour lancer l'étape suivante avec les privilèges de l'administrateur.

This gives the malicious software administrator access without any interaction with the user.The malware itself is extremely powerful, allowing the attacker to access multiple orders:

Apple has corrected the vulnerabilities used, especially with iOS 12.5.5 and the Catalina 2021-006 security update.Do not hesitate to verify that you have made the updates, and if you are not reassured, to look at the antivirus like Intego X9 which is entirely designed and optimized for MacOS.