Have you heard of Operation Pawn Storm? It is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media as well. This group of connected threat actors use three known attack vectors: spear phishing emails, a network of phishing websites that use typo-squatted domains and a clever but simple OWA trick to fool victims, and malicious iframes injected into legitimate websites. The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware.
While researching on Operation Pawn Storm, Trend Micro discovered an interesting poisoned pawn—spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack.
The iOS malware found is among those advanced malware and it is believed the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware Trend Micro found for Microsoft Windows’ systems. Two malicious iOS applications were found in Operation Pawn Storm. One is called XAgent and the other one uses the name of a legitimate iOS game, MadCap. XAgent is designed to work specifically with iOS7, which is still in one of every 5 iPhones and iPads. Fortunately, for iOS 8 devices, the user will see multiple notifications that the phone is trying to install an app. And it can’t run without the user launching. Both tools have the ability to record audio, which is very intrusive, and highly suggests the targeting of offline and confidential information.
Following analysis, Trend Micro concluded that both are applications related to SEDNIT – which is a spyware that aims to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. Some of the data theft capabilities include:
· Collect text messages
· Get contact lists
· Get pictures
· Collect geo-location data
· Start voice recording
· Get a list of installed apps
· Get a list of processes
· Obtain Wi-Fi status
There may also be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.
More information on the malware can be found on Trend Micro’s blog.