y Information p Center y pp Communities Blog **T H U R S D AY, JU LY 1 2, 2 0 1 8** # Advanced Mobile Malware Campaign in India uses Malicious MDM [This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.](https://twitter.com/securitybeard?lang%3Den) ## SUMMARY Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat. An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the Search Blog **S UB S C R IB E TO OUR FE E D** Posts Comments [Subscribe via Email](https://www.talosintelligence.com/blog_subscription) **B LOG A R C HIV E** [▼ 2 01 8](javascript:void(0)) (102) [▼ J U LY](javascript:void(0)) (9) [Beers with Talos EP33 - Change the](https://blog.talosintelligence.com/2018/07/beers-with-talos-ep33-change.html) Conversation or... [Threat Roundup for July 6-13](https://blog.talosintelligence.com/2018/07/threat-roundup-0706-0713.html) [Advanced Mobile Malware](https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html) Campaign in India uses Mal... [Vulnerability Spotlight:](https://blog.talosintelligence.com/2018/07/vulnerability-spotlight-computerinsel-photoline.html) Computerinsel Photoline M... [Vulnerability Spotlight: Multiple](https://blog.talosintelligence.com/2018/07/vuln-spotlight-antenna.html) Antenna House Vu ----- The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery. Thanks to the logs located on the MDM servers and the malware's command and control (C2) server, we were able to determine that the malware has been in use since August 2015. The campaign targeted only a few select devices (13) that are all located in India. The attacker left essential data on the servers, such as emails and usernames. As part of the attacker's development and testing it appears that they compromised their device — we observed a device named "test" or "mdmdev." The log files we identified contain the phone number of the device. The number originates from India and uses the "Vodafone India" network with roaming capability disabled. With all of this information in mind, we assume with high confidence that the malware author works out of India. MDM is becoming more popular throughout large enterprises, and users should be aware that installing additional certificates on their device to allow remote management can result in potential malicious activity. By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this. Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc. This must be done with great care in order to avoid security issues and should not be something the average home user does. The following information warns the security community and users of how this attack works. The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices. 6th [Smoking Guns - Smoke Loader](https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html) learned new tricks [► J U N E](javascript:void(0)) (15) [► M AY](javascript:void(0)) (15) [► A P RI L](javascript:void(0)) (21) [► M A RC H](javascript:void(0)) (10) [► FE BRU A RY](javascript:void(0)) (14) [► J A N U A RY](javascript:void(0)) (18) [► 2 01 7](javascript:void(0)) (172) [► 2 01 6](javascript:void(0)) (98) [► 2 01 5](javascript:void(0)) (62) [► 2 01 4](javascript:void(0)) (67) [► 2 01 3](javascript:void(0)) (30) [► 2 01 2](javascript:void(0)) (53) [► 2 01 1](javascript:void(0)) (23) [► 2 01 0](javascript:void(0)) (93) [► 2 009](javascript:void(0)) (146) [► 2 008](javascript:void(0)) (37) **R E C OM M E N DE D B LOG S** [C I S C O BL O G](https://blogs.cisco.com) Field Area Network Security Webinar – Bringing OT and IT Together [S N O RT BL O G](https://blog.snort.org/) Snort Subscriber Rule Set Update for 07/17/2018 [C L A M A V® BL O G](http://blog.clamav.net/) ----- ## IOS MDM INFRASTRUCTURE My tiny MDM ----- hxxp://www[.]wpitcher[.]com [Both servers above are based on the open-source project mdm-server — a small iOS MDM server.](https://github.com/project-imas/mdm-server) MDM allows for operating system-level control of multiple devices from a centralized location. A remote administrator can install or remove apps, install or revoke certificates, lock the device, or change password requirements, among other things. The operator is able to uninstall legitimate applications such as Telegram and WhatsApp to install the malicious versions described in the next section. ## Device enrollment Each step of the enrollment process needs some type of user interaction. That's why Talos assumes the attackers use social engineering to get victims on the MDM. The first step for enrolling a device is to install the certificate authority: ----- If the user clicks on "Allow," the following message is displayed: ----- By clicking on "Install," the signature will switch to "Verified:" ----- The device is ready to be enrolled: ----- We can control the installed profile: ----- The attacker is now able to control the device. A pop-up appears when the attacker pushes a new app to the user device. Here is an example with the compromised Telegram app mentioned later in the article: ----- This gives the attacker a significant level of control over the victim device(s). This process is used similarly to a large-scale enterprise using MDM solutions. It is likely that the user is advised that the certificate must be installed to allow enrollment. This is most likely performed via a social engineering mechanism, i.e. a fake tech support-style call. The attacker used a domain which allowed them to try and fool the user. The use of "ios-certificate update[.]com" may make it easier to reassure the user that this is normal. Since we believe this attack is targeting devices in India this is also something which a non-native English speaker may see as "normal." The certificate and update naming convention is also designed to trick the user. ## Technical information about the MDM The attacker left a lot of information behind, which allowed us to analyse files used by this MDM. First, the certificate used by the MDM: CA.crt: Serial Number: 13905745817900070731 (0xc0fb222544ceb74b) Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate update.com/emailAddress=nicholas.vukoja@mail.ru Validity Not Before: Sep 6 11:33:09 2017 GMT Not After : Sep 6 11:33:09 2018 GMT Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate update.com/emailAddress=nicholas.vukoja@mail.ru ----- g gg g to point researchers toward the idea of a "classical Russian hacker." False flags are becoming more common in malware, both sophisticated and simple. It's an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere. Identity.p12: Serial Number: 14177612590375883362 (0xc4c0ff88e475d262) Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate update.com/emailAddress=Aleksi.Dushku@mail.ru Validity Not Before: Jan 6 04:59:56 2018 GMT Not After : Jan 6 04:59:56 2019 GMT Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate update.com/emailAddress=Aleksi.Dushku@mail.ru This is another certificate, which points to an apparent reference to Russia by using another mail.ru address. Server.csr: Subject: C=HR, ST=Hrvatska, L=Split, O=NA, OU=IT, CN=ios-certificate update.com/emailAddress=nicholas.vukoja@mail.ru In this certificate, the attacker mentioned Hrvatska ("Croatia" in the Croatian language) with the ----- ## Log analysis One of the most interesting pieces of information about the MDM is found in the log file. Because of this, we can confirm the following points: There are 13 compromised devices based off serial number All the devices are located in India (based on the phone numbers and phone providers) Phone models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, iPhone 9.4 iOS versions: 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, 11.2.6 At this time, we don't know how the attacker enrolled the 13 targeted devices into the MDM. It could be through physical access to the phones, or by using social engineering, motivating the user to enroll their device. We believe the attackers used their personal phone to test the MDM because they included devices named "Test" and "mdmdev." These two devices share the same phone number and a name that is uncommon for a personal phone. The phone number originates from India and is registered on the "Vodafone India" network provider. When the device was registered on the MDM server, roaming was disabled. We assess with high confidence that the author is based out of in India. ## IOS APPLICATIONS Malicious applications using BOptions sideloading EXPLANATION ----- purpose is to inject a dynamic library into the legitimate app. The GitHub project was used by the attacker to create the malicious BOptionspro.dylib library held in the iOS package (.ipa file). The injection library can ask for additional permissions, execute code and steal information from the [original application, among other things. Milan-based technology company HackingTeam has](https://www.theregister.co.uk/2015/08/06/hacking_team_ios_trickery_outed/) previously used this technique. TELEGRAM, WHATSAPP & APPSSLOADER In this campaign we identified three compromised versions of apps using this trick hosted on the MDM server. AppsSLoader is seemingly harmless. The app was created to test the library injection. It simply opens a pop-up to the user confirming the execution of the dynamic library. This was most likely created to test the effectiveness of the library prior to malicious deployment. The compromised versions of the Telegram and WhatsApp applications used in this campaign are more interesting and relevant. They first contain the same malicious code. The purpose is to send collected data to a C2 server located at hxxp[:]//techwach[.]com. The malicious code checks permissions and asks for additional permissions if it does not already have them: ----- One of the most relevant features of these compromised versions of the applications is the Telegram and WhatsApp message stealing feature. Here is the global workflow of it: For Telegram: Opens 'tgdata.db', an SQLite3 database used by Telegram Checks for the key 'UPLOADED_CHAT' in the key store Queries "select users_v29.phone_number, users_v29.uid from users_v29;" Queries for "select messages_v29.from_id AS oid,users_v29.first_name, users_v29.last_name,users_v29.phone_number,messages_v29.message,messages_v29 .mid,messages_v29.to_id from messages_v29 join users_v29 ON (messages_v29.from_id = users_v29.uid);" Parses results, storing off counts, timestamps, and other metadata. Sends by posting to hxxp[:]//techwach[.]com Query screenshot: For WhatsApp: ----- Parses results, storing off counts, timestamps, and other metadata. Sends by posting to hxxp[:]//techwach[.]com Additionally, the malware is designed to be able to send the contacts, location, and images from the compromised device. Here is the list of the PHP pages available on the techwach C2 server: all.php dyrKztORKwVWOGo.php get.php hh.php info.php jDRucchWSoWQGpU.php UfmcRxYDaVVbrBl.php Another intriguing aspect of this malware is the way in which the malicious code achieves periodic code execution when the legitimate app bundled with it is running. One technique is to modify the app's code at runtime to execute the malicious code — this has been observed in previously analyzed iOS malware. Instead, this malware remains almost entirely independent of the app and gains execution by creating a timer that eventually executes the malicious code in a background thread. From there, it schedules tasks to be executed asynchronously in the background by leveraging the apps' background task queue. Ultimately, this means that the malicious code is invisible to the user of the app, and can be easily reused alongside any real application. PRAYTIME Talos identified another legitimate app executing malicious code during this campaign in India. ----- MYAPP MyApp is a regular iOS app. However, the application does not do anything. It has almost no code associated with it other than standard iOS app runtime code. This could potentially be another testing app, but we're unable to determine the exact use. This app is non-malicious. ## Techwach C2 server The malicious code within Telegram and WhatsApp sent collected data to the server techwach[.]com. The server has been active since August 2015. Initially, the username used on the server was arnoldrex. Subsequently, this was changed to chernobog (referencing a Slavic deity). ## CONCLUSION This investigation shows us that this attack targeted a very limited number (13) of users using iPhone devices in India. At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the user to click "ok". This type of vector is very difficult to defend against since users can often be tricked into acting against their best interests. This is another important reminder that users must think twice before clicking on unsolicited links or requests and also that users should verify credentials from any unsolicited calls requesting they take action on devices ----- photos and user s location from the victim s phone. Over a three year period, the attackers remained under the radar — likely due to the low number of compromised devices. All the technical details point to an actor based in the same country as the victims: India. The attacker tried to mimic Russian hackers by using mail.ru email. However, we found testing devices enrolled on the MDM with an Indian phone number and registered on an Indian provider. Once a user has lost physical access to their phone, it's really a case of the attacker having a much easier playing field for malicious activity. The fact that the attacker was also able to get devices onto his own malicious MDM shows that the attacker was indeed motivated to obtain initial access but also to maintain persistence across the devices. ## COVERAGE Additional ways our customers can detect and block this threat are listed below. [Advanced Malware Protection (AMP) is ideally](https://www.cisco.com/c/en/us/products/security/advanced-malware-protection) suited to prevent the execution of the malware used by these threat actors. [Cisco Cloud Web Security (CWS) or Web](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. [Email Security can block malicious emails sent](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html) by threat actors as part of their campaign. Network Security appliances such as Next [Generation Firewall (NGFW), Next-Generation](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) [Intrusion Prevention System (NGIPS) and Meraki MX can detect malicious activity associated with](https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html) ----- products. [Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains,](https://umbrella.cisco.com/) IPs, and URLs, whether users are on or off the corporate network. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest [rule pack available for purchase on Snort.org.](https://www.snort.org/products) ## IOCS iOSApplications 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa MDM Domains: ios-certificate-update[.]com www[.]wpitcher[.]com C2 Domains: Voguextra[.]com ----- voguextra[.]com P O S T E D BY [P AU L RAS C AG NE RE S AT](https://www.blogger.com/profile/10073079939160046441) [3 : 0 0 P M](https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html) L ABE L S : [AP P L E, I ND I A](https://blog.talosintelligence.com/search/label/apple) [, I O S, I P H O NE, M ALWARE ANALY S I S, M ALWARE RE S E ARC H, M D M](https://blog.talosintelligence.com/search/label/iOS) S H A RE T H I S P O S T NO COMMENTS: POST A COMMENT Enter your comment... **Comment as:** [Google Account] [Google Account] ----- NE WE R P O S T S U BS C RI BE T O : [P O S T C O M M E NT S (AT O M )](https://blog.talosintelligence.com/feeds/6206155954768898771/comments/default) [H O M E](https://blog.talosintelligence.com/) O L D E R P O S T -----