By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu
A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).
The malware variant is a modular backdoor that allows the threat actor to remotely execute shell command and manipulate files on the affected device. This would an allow an attacker to spy on a user’s device, as well as take full control of it. It contains different modules for exfiltrating data from the infected device, which includes:
Connected WiFi history
Contacts
GPS location
Hardware information
iOS keychain
Phone call history
Safari and Chrome browser history
SMS messages
Information about the user’s network environment is also exfiltrated from the target device:
Available WiFi network
Local network IP addresses
Messenger applications are also specifically targeted for data exfiltration. Among the apps specifically targeted are:
Telegram
Our research also uncovered a similar campaign aimed at Android devices in 2019. Links to malicious .APK files were found on various public Hong Kong-related Telegram channels. These messages claimed they were for various legitimate apps, but they led to malicious apps that could exfiltrate device information, contacts, and SMS messages. We called this Android malware family dmsSpy (variants of of dmsSpy are detected as AndroidOS_dmsSpy.A.).
The desi ..
Support the originator by clicking the read the rest link below.
