Jamf protects against DazzleSpy backdoor malware making the rounds

Security, Jamf Threat Labs

Jamf Threat Labs updates Jamf Protect to completely prevent DazzleSpy from threatening the security of your macOS fleet.

Threat: DazzleSpy

ESET published an in-depth analysis into a newly discovered backdoor targeted at macOS.

Affects: DazzleSpy is known to affect macOS devices via a MachO binary.

Detected by: Jamf Protect detects DazzleSpy as part of the PlistDisguisedAsApple analytic.

Prevented by: Jamf Protect prevents DazzleSpy from running through Threat Prevention as of 1/25/2022.

Threat Defense prevents communication with all known C2 servers and URLs as of 1/26/2022.

IOCs (as published by ESET):

F3772A23595C0B51AE32D8E7D601ACBE530C7E97 - Javascript to retrieve Mach-O 95889E0EF3D31367583DD31FB5F25743FE92D81D - MachO binary EE0678E58868EBD6603CC2E06A134680D2012C1B - MachO binary after decryption

C2

Web exploit URLs

https[://]amnestyhk[.]org/ss/defaultaa.html https[://]amnestyhk[.]org/ss/4ba29d5b72266b28.html https[://]amnestyhk[.]org/ss/mac.js https[://]amnestyhk[.]org/ss/server.enc

Detection Content

Files and directories:

$HOME/Library/LaunchAgents/com.apple.softwareupdate.plist $HOME/.local/softwareupdate $HOME/.local/security.zip $HOME/.local/security/keystealDaemon $HOME/.local/security/libkeystealClient.dylib