iOS / Cloudatlas - new malware for iOS
Recently, our analysts have discovered a new malware for iOS, which is disguised as a Skype application and used in a series of targeted attacks called Inception . It is designed for devices with jailbreak and allows an attacker to perform a large number of functions, including installing new malicious programs on the device, as well as extracting various confidential information from it.
We added the first modification of this malware to the database as iOS / Cloudatlas.A . It was distributed through a third-party application store and could be installed on the system using well-known Cydia software. The above Skype icon is used to deceive the user and is located in the application container. The iOS / Cloudatlas.A file came to us as a container (distribution) of the Debian format. Using these batch .deb files, applications are distributed via Cydia.
')
Fig. The SkypeUp icon on the compromised device belongs to iOS / Cloudatlas.A .
The application is installed in the Applications system directory with the name SkypeUp.app. The Mach-O itself executable file is copied to the location of / usr / bin / and contains a large amount of various debugging information, which is stored in a separate log file and sent via ftp to the remote attacker's server. The full line of the path to the project inside the file is as follows.
Also listed are the various project files that participated in its creation.
iOS / Cloudatlas.A specializes in identifying the device model and detailed information about it.
Fig. Part of the information collected.
In addition, the malware can receive commands to remotely download other unwanted or malicious programs and then install them in the system. The analysis shows that iOS / Cloudatlas.A assumes that the user has the Cydia software installed, which we mentioned at the beginning. Undesirable programs received remotely are installed into the system using Cydia. Cloudatlas uses the / var / root / Media / Cydia / AutoInstall directory feature to automatically install debian packages (deb-files). This directory is documented in the Cydia reference information and is used to manually install programs on iOS with a jailbreak. It also uses the capabilities of the Cydia "dpkg -i" command to install the deb-distribution into the system.
Earlier this year, we wrote several times ( here and here ) about emerging malware for iOS. In fact, all of them affect only devices with jailbreak, since they get full access to the system, bypassing the restrictions imposed by iOS. We categorically do not recommend that users perform such an operation with the device and expose it to undue risk.
The analyzed sample has the following SHA-256: 0a9474c994adba4da87fe3e2d2e687e7b61ff0d6aa8b01f2542d5362be1478af.
We added the first modification of this malware to the database as iOS / Cloudatlas.A . It was distributed through a third-party application store and could be installed on the system using well-known Cydia software. The above Skype icon is used to deceive the user and is located in the application container. The iOS / Cloudatlas.A file came to us as a container (distribution) of the Debian format. Using these batch .deb files, applications are distributed via Cydia.
')
Fig. The SkypeUp icon on the compromised device belongs to iOS / Cloudatlas.A .
The application is installed in the Applications system directory with the name SkypeUp.app. The Mach-O itself executable file is copied to the location of / usr / bin / and contains a large amount of various debugging information, which is stored in a separate log file and sent via ftp to the remote attacker's server. The full line of the path to the project inside the file is as follows.
/ Volumes / Developer / iOS / JohnClerk / Apps / SkypeUpdate / WhatsAppUpdate
Also listed are the various project files that participated in its creation.
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/WhatsAppUpdate/ViewController.m
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/WhatsAppUpdate/AppDelegate.h
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/build/SkypeUp.build/Debug-iphoneos/SkypeUp.build/Objects-normal/armv7/ViewController.o
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/build/SkypeUp.build/Debug-iphoneos/SkypeUp.build/Objects-normal/armv7/AppDelegate.o
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/build/SkypeUp.build/Debug-iphoneos/SkypeUp.build/Objects-normal/armv7/ImageView.o
/Volumes/Developer/iOS/JohnClerk/Apps/SkypeUpdate/build/SkypeUp.build/Debug-iphoneos/SkypeUp.build/Objects-normal/armv7/main.o
/ Volumes / Developer / iOS / JohnClerk / Apps / Syscat /
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/t_function.c
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/AESCrypt-ObjC-master/NSData+CommonCrypto.m
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/build/Syscat.build/Release-iphoneos/Syscat.build/Objects-normal/armv7/t_function.o
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/build/Syscat.build/Release-iphoneos/Syscat.build/Objects-normal/armv7/NSData+CommonCrypto.o
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/build/Syscat.build/Release-iphoneos/Syscat.build/Objects-normal/armv7/SGetFileByRegular.o
/Volumes/Developer/iOS/JohnClerk/Apps/Syscat/build/Syscat.build/Release-iphoneos/Syscat.build/Objects-normal/armv7/SGetCommonCFG.o
iOS / Cloudatlas.A specializes in identifying the device model and detailed information about it.
- The model of the device, including all models of iPhone, iPad, iPod Touch, Apple TV.
- System Information: device name, version, processor information, memory size, free space, time zone, MAC address.
- Information about mobile communications: phone number, ICCID code of the SIM-card, InternationalRoamingEDGE.
- Information related to your iTunes account, including Apple ID and user settings related to the iTunes Store and backup service.
- All available information about the user's contacts (name, phone number, email address, date of birth, etc.), for which a special SQL query is used.
- The history of user visits in the browser Safari.
Fig. Part of the information collected.
In addition, the malware can receive commands to remotely download other unwanted or malicious programs and then install them in the system. The analysis shows that iOS / Cloudatlas.A assumes that the user has the Cydia software installed, which we mentioned at the beginning. Undesirable programs received remotely are installed into the system using Cydia. Cloudatlas uses the / var / root / Media / Cydia / AutoInstall directory feature to automatically install debian packages (deb-files). This directory is documented in the Cydia reference information and is used to manually install programs on iOS with a jailbreak. It also uses the capabilities of the Cydia "dpkg -i" command to install the deb-distribution into the system.
Earlier this year, we wrote several times ( here and here ) about emerging malware for iOS. In fact, all of them affect only devices with jailbreak, since they get full access to the system, bypassing the restrictions imposed by iOS. We categorically do not recommend that users perform such an operation with the device and expose it to undue risk.
The analyzed sample has the following SHA-256: 0a9474c994adba4da87fe3e2d2e687e7b61ff0d6aa8b01f2542d5362be1478af.
Source: https://habr.com/ru/post/245879/
All Articles