Google's Threat Analysis Group (TAG) has discovered "watering hole" attacks with malware deployed onto Hong Kong websites, including a media outlet and a prominent pro-democracy and political group.
The malware was found in August this year and TAG found a root superuser privilege escalation exploit for the macOS Catalina operating system XNU kernel, which would attempt to download and install a backdoor on targets' computers.
Only Intel-based Macs running macOS Catalina were served a full exploit chain; later macOS versions such as Big Sur caused the exploit to crash due to Apple's generic security protections.
The code for the exploit is advanced, and highly obfuscated to make analysis more difficult.
"We believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Erye Hernandez from Google TAG wrote.
Google TAG did not directly attribute the attacks to a particular country or hacking group.
TAG said Apple's mobile iOS operating system was also targeted by the attackers, using the Ironsquirrel framework to deliver encrypted exploits to victims' browsers, a different tactic compared to macOS.
However, TAG was not able to capture a complete iOS exploit chain, only a partial one in which a bug from 2019 was used for remote code execution in the Safari web browser.
Among the features in the backdoor were victim device fingerprinting, screen capture, file transfers, terminal command execution, audio recording and keystroke logging.
Apple patched the vulnerability in September this year.
