Rewterz Threat Update – Watering Hole Attacks against Political Entities using DazzleSpy – Active IOCs

Severity

High

Analysis Summary

The watering hole attack gets its name from a hunting technique. In this technique the hunter, instead of hunting the prey, goes to the place where the prey frequents most and waits. This way the pray is most likely to fall into the trap as its an unsuspecting attack and it has its guard down. 

This attack is implemented in the cyber world too where the attacker compromises a specific website or portal the victim is most likely to visit. The victim can be an individual, a group, or an organization, and in this case, political officials.  

In this instance, an undocumented macOS backdoor called the “DazzleSpy” is used to attack Hong Kong’s politically active individuals. The first attack was seen in November of last year when Google researchers published research on a MacOS zero-day being exploited by threat actors (CVE-2021-30869).

Experts attribute these attacks to a nation-state actor, however, no specific group is named. 

DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer, according to researchers.

DazzleSpy was distributed by the threat actors using iframe injections on websites which then lead to a WebKit exploit. 

Impact

• Data Theft
• Privilege Escalation
• Credential Loss
• Eavesdropping

Indicators of Compromise

Filename

• $HOME/Library/LaunchAgents/com[.]apple[.]softwareupdate[.]plist
• $HOME/[.]local/softwareupdate
• $HOME/[.]local/security[.]zip
• $HOME/[.]local/security/keystealDaemon
• $HOME/[.]local/security/libkeystealClient[.]dylib

MD5

• 96b7999463bc732942c683df717e624c
• 1fffe05a33bed2ad28f03b7e7dc82c43
• 9dc9d317a9b63599bbc1ceba6437226e

SHA-256

• 7965c61a4581f4b2f199595a6b3f0a416fe49bd8eaac0538e37e050d893f9e3c
• bbbfe62cf15006014e356885fbc7447e3fd37c3743e0522b1f8320ad5c3791c9
• f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348

SHA-1

• f3772a23595c0b51ae32d8e7d601acbe530c7e97
• 95889e0ef3d31367583dd31fb5f25743fe92d81d
• ee0678e58868ebd6603cc2e06a134680d2012c1b

URL

• https[:]//amnestyhk[.]org/ss/defaultaa[.]html

Remediation

• Patch – Patch and upgrade any platforms and software timely.
• WAF -Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• Passwords – Implement strong passwords. Enable two-factor authentication.
• Logging – Log your eCommerce environment’s network activity and web server activity.