but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.
You mean the domain name/ip? I don't know if that's been disclosed. On the next line it indicates the web page mostly just loads some javascript to perform another exploit.
After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.
The web page has a script that verifies the victim and, if the checks pass, receives the next stage: the Safari exploit.
I wonder what "verifies the victim" means. Sounds like they have targeted an individual with this crazy attack chain. This wouldn't be the first case iirc.
Wow, there is a lot going on here!
Would lockdown mode have helped?
🤯
do we know what web page it was forwarding to?
You mean the domain name/ip? I don't know if that's been disclosed. On the next line it indicates the web page mostly just loads some javascript to perform another exploit.
I wonder what "verifies the victim" means. Sounds like they have targeted an individual with this crazy attack chain. This wouldn't be the first case iirc.
Strange indeed 🤔