"New Mac Malware Delivered in Watering-Hole Attacks"

According to researchers with Google's Threat Analysis Group (TAG), a watering-hole attack on Hong Kong websites infected site visitors with new Mac malware. Watering-hole attacks target a specific group of users by infecting the websites that they often visit and tricking them into visiting the malicious sites. This specific watering-hole attack abused an XNU privilege-escalation vulnerability to install a previously unreported backdoor on victims' systems. Erye Hernandez, a Google TAG researcher, said the watering-hole attack affected websites belonging to an unnamed media outlet and a pro-democracy labor and political group. It remains unclear how the websites were initially compromised. When the researchers obtained the exploitation chain, they found a parameter recording the number of exploitation attempts, which was revealed to be 200. The compromised websites had two iframes that delivered exploits from an attacker-controlled server. One was for iOS and the other one was for macOS. The researchers could not uncover the full exploit chain for iOS, but they did find that it used a type confusion issue to perform code execution in Safari. They also discovered the use of Ironsquirrel in the exploit chain, which is an open-source framework that delivers encrypted browser exploits to the victim's browser. Mac malware called OSX.CDDS was delivered. The capabilities of this malware include device fingerprinting, screen capturing, file downloading, terminal command execution, audio recording, and keylogging. This article continues to discuss the watering-hole attack in which a now-patched Apple vulnerability was used to infect website visitors with OSX.CDDS Mac malware. 

Decipher reports "New Mac Malware Delivered in Watering-Hole Attacks"