However, it is important to note that there is also a binary named “BackupAgent2”, and that is not an indicator of compromise. This is a deprecated binary that should not appear in the timeline during regular usage of the device. The single most reliable indicator that we discovered is the presence of data usage lines mentioning the process named “BackupAgent”.For the methodology described in this blogpost, you will need the file called timeline.csv. This command will run all the checks by MVT, and the output directory will contain several JSON and CSV files. Mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory Mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory Parse the backup using MVT In that case, the backup copy has to be decrypted before running the checks: If the owner of the device has set up encryption for the backup previously, the backup copy will be encrypted. If Python 3 is installed in the system, run the following command:Ī more comprehensive installation manual is available the MVT homepage. Once the backup is ready, it has to be processed by the Mobile Verification Toolkit. You may need to enter the security code of the device several times, and the process may take several hours, depending on the amount of user data stored in it. Idevicebackup2 backup -full $backup_directory To create a backup with idevicebackup2, run the following command: The latter is shipped as a pre-built package with the most popular Linux distributions, or can be built from the source code for MacOS/Linux. PreparationĪll potential target devices must be backed up, either using iTunes, or an open-source utility idevicebackup2 (from the package libimobiledevice). Furthermore, if a new device was set up by migrating user data from an older device, the iTunes backup of that device will contain the traces of compromise that happened to both devices, with correct timestamps. It is important to note, that, although the malware includes portions of code dedicated specifically to clear the traces of compromise, it is possible to reliably identify if the device was compromised. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server. The analysis of the final payload is not finished yet. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7. The oldest traces of infection that we discovered happened in 2019. The timelines of multiple devices indicate that they may be reinfected after rebooting. The malicious toolset does not support persistence, most likely due to the limitations of the OS. The initial message and the exploit in the attachment is deleted.After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.Without any user interaction, the message triggers a vulnerability that leads to code execution.The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.This allowed to move the research forward, and to reconstruct the general infection sequence: Using this timeline, we were able to identify specific artifacts that indicate the compromise. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv”, similar to a super-timeline used by conventional digital forensic tools. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. If you have any additional details to share, please contact us:. We are calling this campaign “Operation Triangulation”, and all the related information we have on it will be collected on the Operation Triangulation page. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |