Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. You can find a thorough paper from Palo Alto here. First of all, it’s important to note that all Kaspersky Lab users are protected against this threat. The malicious files used by WireLurker are identified by our products with the following detection names:
- Mac OS X:
- Apple iOS:
Our sensors observed connections to the malicious C&C server located in Hong Kong in July, 2014. These continued throughout the following months, although the volume remains low.
Interestingly, discussions on various online forums about this subject appeared earlier this year, notably in Chinese and Korean, but also on some English resources:
On July 14th, someone named SirBlanton complained about it on a Chinese speaking BBS:
The discussion above happened on “bbs.maiyadi.com”, which is interesting, because another subdomain on “maiyadi.com” is used by the malware as a C&C (see below).
Even earlier, on May 29th, a discussion in Korea mentioned abnormal behavior of a Mac OS X infected by this threat:
Interestingly, Mac OS X and Apple iOS are not the only platforms through which these attacks were propagated. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.
The WireLurker Windows module
File name: 万能视频播放器 2.21.exe md5: fb4756b924c5943cdb73f5aec0cb7b14
Win32 WireLurker module
The file appears to have been compiled in March 2014, assuming the timestamp is not altered:
Full metadata set:
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2014:03:13 03:56:21-04:00
PE Type : PE32
Linker Version : 10.0
Code Size : 721920
Initialized Data Size : 1364480
Uninitialized Data Size : 0
Entry Point : 0xafb86
OS Version : 5.1
Image Version : 0.0
Subsystem Version : 5.1
Subsystem : Windows GUI
File Version Number : 126.96.36.199
Product Version Number : 188.8.131.52
File Flags Mask : 0x003f
File Flags : (none)
File OS : Windows NT 32-bit
Object File Type : Executable application
File Subtype : 0
Language Code : Chinese (Simplified)
Character Set : Unicode
File Description : 绿色IPA安装器
File Version : 184.108.40.206
Internal Name : 绿色IPA安装器.exe
Original Filename : 绿色IPA安装器.exe
Product Name : 绿色IPA安装器
Product Version : 220.127.116.11
The internal file name is “绿色IPA安装器” which, when translated to English, means Green IPA installer. It supposed to be an application to install IPA files on iOS devices.
Interestingly, it contains a debug path which reveals information about the build:
The application contains two IPA (Apple application archives) inside, one called “AVPlayer” and one called “apps”.
AVPlayer.app appears to be a legimitated iOS application that is used by the attackers as a decoy.
The image (icon) of the app can be seen below:
The “legit” application appears to have been authored by a popular developer going by the handle “email@example.com”.
The second IPA is more interesting. It appears to have been created in March 2014. “apps” communicates with the wellknown “comeinbaby[.]com”: The sfbase.dylib part communicates with a different C&C: To summarize, the Win32 application described here allows the installation of the mentioned iOS payload to the victim’s iPhone. The creator likely developed it just to make sure Windows users can also get infected on their iOS devices.
Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. It delivers Kaspersky Lab’s security intelligence to every partner or customer who is connected to the Internet, ensuring the quickest reaction times, lowest false positive rate and maintaining the highest level of protection. A detailed description of KSN can be found here. The following chart below shows detections of WireLurker on OSX:
Over 60% of the detections are coming from China, which is to be expected.
This incident is yet another reminder of why the use of pirated software remains dangerous, no matter which platform you’re using. Downloading applications from unofficial sources, such as alternative marketplaces, file sharing websites or torrents and other P2P file sharing networks, increases the risk of malware infections. On Mac OS X for instance, it is one of the main infection vectors.
The need for anti-malware protection on Mac OS X devices cannot be overstated. It’s not only that your Mac OS X machine can get infected, but WireLurker showed us how the infection can move from your Mac to your iPhone. The good news is: there are plenty of options to chose from out there, including our own Kaspersky Internet Security for Mac.
As a first line of defense, Mac OS X users should check their Security & Privacy settings to make sure the configuration of their system is optimal. We recommend setting up Gatekeeper so that only applications downloaded from the Mac App Store and identified developers are allowed to be installed. More information on Gatekeeper can be found here.
Make sure to also check out our own guide for Mac security: 10 Simple Tips for Boosting The Security Of Your Mac
This should also be a wake-up call for Apple users and the way they think about security. Just like Mac OS X malware quickly evolved from being just a myth to becoming a sad reality, we are seeing iOS being targeted more and more often lately – with nobody being able to offer protection for this platform. Anti-malware vendors are still not allowed to develop protection for iPhone users.
In the light of recent events, will this strategy change in the future?
Indicators of compromise:
iOS trojan WireLurker: statistics and new information
Interesting post. We blogged in May 2014 on something related: an iPad that allowed a remote user to take control of the screen. See https://www.zionsecurity.com/blog/2014/5/ipad-air-spyware-help-needed-security-community
Would installing Kaspersky on the iPad reveal traces of the malware?