Hyper Focused iPhone Hacking Campaign That Dropped Malicious Apps via MDM Potentially Part of a Broader Campaign
Earlier this month, a highly focused social engineering attack against a targeted group of iPhone users was discovered. Running through bogus Mobile Device Management (MDM) servers, attackers were found infecting iPhones in a highly sophisticated attack. Using physical access and/or social engineering tricks, certificates from two rogue MDM servers were installed on targeted iPhones and then attackers pushed out modified versions of legitimate apps, including WhatsApp and Telegram, to spy on their targets.
These modified apps were deployed on 13 iPhones via bogus MDM systems, with hackers ultimately getting the ability to track their targets' locations and read their communications. While it was believed to be a limited attack targeting only a handful of victims in India, it now appears that the campaign could be much broader than previously believed.
Another malicious MDM discovered; more apps modified to steal data
In a fresh report today, Cisco's Talos writes that what was believed to have been an iPhone-focused threat is potentially "part of a broader campaign targeting multiple platforms," including Windows devices and a similar campaign affecting Android devices, as well.
"The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS, and Telegram and WhatsApp chat messages," Talos researchers had written in their initial post on the threat. "Such information can be used to manipulate a victim or even use it for blackmail or bribery."
While initially two MDM servers were used in the attack, researchers have now identified a third MDM server that it believes was also used by this actor. These now include:
- ios-update-whatsapp[.]com (new)
While the attack eventually lets attackers spy and track their targets as much as they want, they do need a carefully crafted social engineering campaign to trick users into giving up control. Since most of this spying occurs because of modified applications, victims should receive alerts that would warn them. However, since users are voluntarily downloading these apps believing them to be legit, it is likely they would consider these alerts to be not-so-alarming, as well.
In today's report, researchers said that they identified two other malicious Telegram and WhatsApp apps, along with identifying a fake application that was cloning IMO. In the latest findings, they also discovered a malicious Safari application that has been developed from scratch and based on three open-source projects: SCSafariPageController, SCPageViewController and SCScrollView.
The purpose of this browser is to steal sensitive information from the infected device. First, the app sends the universally unique identifier (UUID) of the device to the C2 server. Based on the server response, the malicious browser will send additional information, such as the user's contact information (picture, name, email, postal address, etc.), the user's pictures, the browser's cookies and the clipboard.
The malware checks for a file named "hib.txt," and if the file doesn't exist on the device, it displays an iTunes login page in an attempt to harvest the user's login credentials. Upon entering the credentials, the email address and password are sent to the C2 server. Additionally, these credentials get written into the file and the user is considered "signed in."
Using this browser, attackers are also able to steal passwords if they find the user logging into their Google, Yahoo, Amazon, Pinterest, Reddit, and a number of other accounts.
Potential threat actor behind this targeted iPhone hack
Talos reveals that an actor has been operating these malicious MDMs for many years. Based on indicators, they thought that the latest campaign was potentially linked to a threat actor known as "Bahamut" that was previously targeting Android devices.
"The new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign."
"Based on previous research regarding the Bahamut group and our research, we believe the observed infrastructure is not limited to iOS targets, but is part of a broader framework that supports Apple iOS and Windows platforms," the researchers said.
They concluded that the actor is likely based in India, and while its operation seems similar to Bahamut and "they may even be connected," at this point, it can't be said "with high confidence" if this is indeed Bahamut
One thing is certain. that a well-funded group is behind this campaign. "To be infected by this kind of malware, a user needs to enroll their device," researchers wrote, adding that it "means they should be on the lookout at all times to avoid accidental enrollment."