The CVE-2021-30869 Vulnerability
In a report published on Thursday, Google researchers have revealed that a zero-day vulnerability in the macOS operating system has been exploited to deliver a never-before-seen backdoor on compromised machines. The now-patched zero-day has been used in attack in August this year, targeting Hong Kong media outlets and a prominent pro-democracy labor and political group.
The vulnerability is tracked as CVE-2021-30869 and has a CVSS score of 7.8. The flaw concerns the XNU kernel and, according to the report, it might allow a malicious application to execute arbitrary code with the highest privileges. The vulnerability was addressed by Apple with a patch released on September 23rd .
Another vulnerability, tracked as CVE-2021-1789 (a remote code execution bug in WebKit that was fixed in February 2021) was used in conjunction with CVE-2021-30869 to break out of the Safari Sandbox and gain elevated privileges, before downloading and running a second-stage payload called “MACMA” from a remote attacker-controlled server.
According to Google Threat Analysis Group, “significant software engineering” has been applied to this previously undocumented implant, which is capable of recording audio and keystrokes and fingerprinting the device, as well as downloading and uploading arbitrary files and carrying out malicious terminal commands. As per the information that is available, none of the anti-malware engines presently recognize the backdoor files as harmful in any way.
The researchers’ findings on the quality of the code indicate that the threat actor is most likely a well-funded group, that is state-backed.
MACMA’s variant from 2019 is typically disguised as a rogue Adobe Flash Player that displays an error message in Chinese language after the installation. This suggests that the malware is aimed mostly at Chinese users and that this version is designed to be deployed via socially engineering methods. However, according to the latest findings, the 2021 version of MACMA is meant to be used remotely. The campaign’s additional indications of compromise (IoCs) may be found here.