MacOS Zero-Day exploits are being used to infiltrate Hong Kong users with a new Implant

The CVE-2021-30869 Vulnerability

In a report published on Thursday, Google researchers have revealed that a zero-day vulnerability in the macOS operating system has been exploited to deliver a never-before-seen backdoor on compromised machines. The now-patched zero-day has been used in attack in August this year, targeting Hong Kong media outlets and a prominent pro-democracy labor and political group.

CVE 2021 30869 1024x441

The vulnerability is tracked as CVE-2021-30869 and has a CVSS score of 7.8. The flaw concerns the XNU kernel and, according to the report, it might allow a malicious application to execute arbitrary code with the highest privileges. The vulnerability was addressed by Apple with a patch released on September 23rd .

Another vulnerability, tracked as CVE-2021-1789 (a remote code execution bug in WebKit that was fixed in February 2021) was used in conjunction with CVE-2021-30869 to break out of the Safari Sandbox and gain elevated privileges, before downloading and running a second-stage payload called “MACMA” from a remote attacker-controlled server.

According to Google Threat Analysis Group, “significant software engineering” has been applied to this previously undocumented implant, which is capable of recording audio and keystrokes and fingerprinting the device, as well as downloading and uploading arbitrary files and carrying out malicious terminal commands. As per the information that is available, none of the anti-malware engines presently recognize the backdoor files as harmful in any way.

The researchers’ findings on the quality of the code indicate that the threat actor is most likely a well-funded group, that is state-backed.

MACMA’s variant from 2019 is typically disguised as a rogue Adobe Flash Player that displays an error message in Chinese language after the installation. This suggests that the malware is aimed mostly at Chinese users and that this version is designed to be deployed via socially engineering methods. However, according to the latest findings, the 2021 version of MACMA is meant to be used remotely. The campaign’s additional indications of compromise (IoCs) may be found here.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment