Fortinet’s FortiGuard Lab team has analysed the cyber espionage operation and related iOS malware, discovered recently.
What is the threat?
Trend Micro discovered two new kinds of iOS malware that appear to be carefully designed to spy on the victim’s iOS device. The first sample is small and only records sound. Note the record is not uploaded anywhere and remains on the device.
The second sample is more advanced and responds to various commands like exfiltrating SMS text messages, contacts, pictures, geo-location data, etc. The information is sent to a remote C&C via HTTP.
Does it work on any iOS device?
The malware has been written for iOS 7.1 and will not work on prior OS versions. It does support iOS 8, but not as well. For instance, it doesn’t manage to hide its application icon, so it’s less stealthy.
The second, more complex sample should work on non-jailbroken phones. To be precise, it did not launch on the test phone in our lab, but we believe it can.
The iOS device gets infected by the attacker physically installing the malware on the victim’s phone (“evil maid”); using Apple’s adhoc provisioning or through infection via USB connection to an infected PC/Apple device
What is Operation Pawn Storm?
It is a cyber-espionage operation that specifically targets military officials, government and defence industries in various countries (Austria, France, Hungary, Pakistan, USA and more).
To meet its goal, the operation uses different methods:
- Malware. Propagation of a Windows malware named SEDNIT/Sofacy that steals system information and keystrokes. This malware is typically sent in an email attachment, or served from compromised websites.
- Phishing websites. Emails read from Outlook Web App (OWA) redirect to phishing websites and lure the victim into entering his or her credentials.
According to Trend Micro, these iOS malwares are yet another method for the operation to spy on their targets.
What does Fortinet do about this threat?
Fortinet detect both samples as iOS/PawnStorm.A!tr.spy and .B. Moreover, the C&C hardcoded in those samples is now down.