Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.
Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.
The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.
“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.
“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”
To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.
Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.
“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.
Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.
The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.
The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.
It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.
Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com
Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.
“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.
“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”
Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.
“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.
Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.
Further details, including IoCs are reported in the analysis shared by Talos.
(Security Affairs – MDM service, India)