Malware Targeting iOS

Introduction

Devices and interconnectivity are the pipelines which drive the data into cyberspace, and in turn, the users consume this data to perform different tasks in the digital age. The security of devices and networks is essential as they are the first defenders of cyberspace. Bad actors often target systems and networks with malware and ransomware, these attacks are differently motivated, but all wreak havoc upon the system and can impact individuals and organisations alike. Mobile users worldwide prefer iOS or Android, but both operating systems are vulnerable to cyberattacks these days. Some of these attacks go undetected for a long time.

Op Triangulation 

As reported by Kaspersky, While monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), Kaspersky noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, they created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. This is known as Operation Triangulation and has been in action since 2019 and got detected in 2023.

The Malware

A portion of the filesystem, including some of the user data and service databases, is included in mobile device backups. The files, directories, and database entries’ timestamps make it possible to reconstruct the events that happened to the device roughly. The “timeline.csv” file created by the mvt-ios software contains a sorted timeline of events that is comparable to the super-timeline utilised by traditional digital forensic tools. Pinpointing particular artefacts that show the compromise using this timeframe. This made it possible to advance the research and reassemble the broad infection sequence:

• Through the iMessage service, a message with an attachment containing an exploit is delivered to the target iOS device.
• The message initiates a vulnerability that results in code execution without any user input.
• The exploit’s code downloads multiple additional stages, including additional exploits for privilege escalation, from the C&C server.
• After successful exploitation, a fully functional APT platform is downloaded as the final payload from the C&C server.
• The first message and the attachment’s exploit are removed

The lack of persistence support in the harmful toolset is most likely a result of OS restrictions. Multiple devices’ timeframes suggest that after rebooting, they might get infected again. The earliest signs of infection that we found date to 2019. The most recent version of the devices that have been successfully attacked as of the time of writing in June 2023 is iOS 15.7.

The final payload analysis is still ongoing. The programme executes with root rights, implements a set of commands for gathering user and system data, and can run any code downloaded as plugin modules from the C&C server.

Malicious Domains

Using the forensic artefacts, it was possible to identify the domain name set used by the exploits and further malicious stages. They can be used to check the DNS logs for historical information and to identify the devices currently running the malware:

• addatamarket[.]net
• backuprabbit[.]com
• businessvideonews[.]com
• cloudsponcer[.]com
• datamarketplace[.]net
• mobilegamerstats[.]com
• snoweeanalytics[.]com
• tagclick-cdn[.]com
• topographyupdates[.]com
• unlimitedteacup[.]com
• virtuallaughing[.]com
• web-trackers[.]com
• growthtransport[.]com
• anstv[.]net
• Ans7tv[.]net

Safeguards for iOS users

Despite its world-class safety and privacy architecture, iOS is vulnerable to a few attacks; the following steps can be undertaken to safeguard iOS users –

• Keeping Device updated
• Security patches
• Disabling iMessage would prevent Zero clicks exploits or the Triangulation attacks
• Paying zero attention to unwanted, unsolicited messages
• The user should make sure that any application they are downloading or installing; it should be from a trusted source ( This Zero click attack does not occur by any other means, It exploits / it targets software vulnerabilities in operating systems networks and applications)
• Being cautious with the messaging app and emails
• Implement device restrictions (management features like parental control and restrictions over using necessary applications)

Conclusion

Operation Triangulation is one of the recent operations combating cyber attacks, but such operations are launched nearly daily. This is also due to a rapid rise in internet and technology penetration across the world. Cyberattacks have taken a new face as they have evolved with the new and emerging technology. The influence of the Darknet has allowed many hackers to remain on the black hat side due to easy accessibility to illegal tools and material over the dark net, which facilitates such crimes.