Google researchers announced on Thursday that they discovered a watering hole threat in late August that targeted Hong Kong websites related to a media organization and prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines by exploiting a now-parched zero-day in the macOS operating system. 

According to Google Threat Analysis Group (TAG) expert Erye Hernandez, they assess this threat actor to be a well-resourced group, presumably state-backed, with access to their own software engineering team based on the quality of the payload code.

Followed as CVE-2021–30869 (CVSS score: 7.8), the security deficiency concerns a sort of disarray weakness influencing the XNU kernel that could make a malevolent application execute self-assertive code with the most elevated advantages. Apple resolved the issue on September 23.

According to Google TAG, this previously unknown virus is a fully-featured infection with the capacity to process audio and keystrokes, fingerprint the device, record the screen, download and upload arbitrary files, and execute fraudulent terminal commands. Anti-malware engines presently do not detect the backdoor files as harmful, according to samples supplied to VirusTotal.

As indicated by security analyst Patrick Wardle, a 2019 variation of MACMA takes on the appearance of Adobe Flash Player, with the parallel showing an error message in Chinese language post-establishment, recommending that “the malware is outfitted towards Chinese clients” and that “this form of the malware is intended to be sent through socially engineering strategies.” The 2021 adaptation, then again, is intended for remote exploitation.

The websites, which featured malicious software to serve vulnerabilities from an attacker-controlled server, were also used to attack iOS users, albeit through a different exploit chain delivered to the victims’ browsers. According to Google TAG, it was only able to retrieve a portion of the infection flow in which a type confusion problem (CVE-2019–8506) was exploited to achieve code execution in Safari.