The underlying bug is an optimization downside occurring throughout FTL JIT compilation. Each exploits additionally share the identical exploitation framework, which offer attackers with a set of utilities to execute arbitrary code (e.g. customized MachO loader and parser, PAC and JIT cage bypasses).

There are a number of minimal variations between the 2 exploits, which embody:

• Failure mode. If one thing goes improper throughout exploitation, the exploit from the watering gap will ship again the knowledge to the C2 and attempt to crash the browser with an out-of-memory error. If the Intellexa exploit fails, it doesn’t ship info again and can simply redirect the consumer to a reputable web site.
• Extra information assortment from goal system. The exploit from the watering gap has a further operate named dacsiloscope utilizing the learn/write primitives to gather much more details about the focused system. This info is later used to determine whether or not or not the cookie stealer payload must be executed. For instance, if the system doesn’t have PAC — which could be the case for an iPhone 8 operating iOS 16.X — the cookie stealer payload will merely not execute.

Cookie stealer

The iOS exploit loaded the identical cookie stealer framework that TAG noticed in March 2021 when a Russian government-backed attacker exploited CVE-2021-1879 to amass authentication cookies from outstanding web sites corresponding to LinkedIn, Gmail and Fb. In that marketing campaign, attackers used LinkedIn Messaging to focus on authorities officers from western European international locations by sending them malicious hyperlinks.

Within the watering gap campaigns, the circulate on iOS variations older than 16.6 is identical as described within the Root Trigger Evaluation for CVE-2021-1879. For every focused web site:

• Create a websocket w linked to an attacker-controlled IP handle.
• Set m_universalAccess to 1 contained in the SecurityOrigin class by traversing a set of pointers.
• Create a brand new URL object u pointing to the focused area.
• Overwrite all Doc URLS of the websocket w with those from the u URL.
• Overwrite m_url subject of the websocket w with the u URL.
• Set off a ship on the websocket.
• On the finish of the websocket, the attacker receives requests as they’d be delivered to the focused web sites u together with the authentication cookies for the focused web sites.
• Restore m_universalAccess again to its unique state.

The cookie stealer module is concentrating on the next hard-coded set of internet sites:

[“webmail.mfa.gov.mn/owa/auth”, “accounts.google.com”, “login.microsoftonline.com”, “mail.google.com/mail/mu/0”, “www.linkedin.com”, “linkedin.com”, “www.office.com”, “login.live.com”, “outlook.live.com”, “login.yahoo.com”, “mail.yahoo.com”, “facebook.com”, “github.com”, “icloud.com”]

On newer variations of iOS, the payload is looking WebCore::NetworkStorageSession::getAllCookies() to gather all cookies earlier than exfiltrating them again to the C2.

Google Chrome marketing campaign

On the finish of July 2024, a brand new watering gap appeared on the mfa.gov[.]mn web site the place track-adv[.]com was re-used to ship a Google Chrome exploit chain to Android customers. From a high-level overview, the assault and finish objective are basically the identical because the iOS one — utilizing n-day vulnerabilities with the intention to steal credential cookies — with some variations on the technical aspect. On this case, the assault required a further sandbox escape vulnerability to interrupt out of Chrome website isolation.

• As an alternative of a easy iframe straight added into the HTML, the attackers at the moment are utilizing a bit of obfuscated javascript to inject the malicious iframe pointing to https://track-adv[.]com/analytics.php?personalization_id=<random quantity>.
• Earlier than sending any levels, crypto keys are generated and exchanged utilizing correct ECDH key change. Earlier campaigns obtained a static decryption key from the C2.
• In each campaigns the assault makes use of indexedDB to retailer standing info on the consumer aspect. Within the iOS exploit the database was named minus and within the Chrome exploit the database was named tracker.
• A singular identifier utilizing the identical format (e.g., 2msa5mmjhqxpdsyb5vlcnd2t) was generated and handed as tt= parameter throughout all levels.