CTF导航 CTF导航

Mobile Malware Analysis Part 4 – Intro To IOS Malware Detection

逆向病毒分析 5个月前 admin
37 0 0

Welcome to Part 4 of the Mobile Malware Series. In this part we will cover what is iOS malware, its types, methods of gathering forensics information, as well as, taking a look at some interesting system files from the forensics perspective.
欢迎阅读移动恶意软件系列的第 4 部分。在这一部分中,我们将介绍什么是iOS恶意软件,其类型,收集取证信息的方法,以及从取证的角度查看一些有趣的系统文件。

In the last couple of years iOS has became an interesting target for malware developers. iPhones generally have a lot of security measures built-in, and because of that they are an interesting target for malware developers. Additionally, a lot of high value individuals are using iPhones so it makes sense from the malware developers point of view to target them. Just like any other device, iPhones are not without flaws and it has been shown again and again that threat actors can indeed compromise the device and get what they want whether it is just for the purpose of stealing user information, surveillance or something else.
在过去的几年里,iOS已成为恶意软件开发人员的有趣目标。iPhone 通常内置了很多安全措施,因此它们是恶意软件开发人员的有趣目标。此外,许多高价值的个人都在使用 iPhone,因此从恶意软件开发人员的角度来看,针对他们是有意义的。就像任何其他设备一样,iPhone 并非没有缺陷,并且一次又一次地表明,威胁行为者确实可以破坏设备并获得他们想要的东西,无论是出于窃取用户信息、监视还是其他目的。

Some of the iOS malware types are:
一些 iOS 恶意软件类型包括:

  • Adware – abusing the device to get ads revenue
    广告软件 – 滥用设备获取广告收入

  • RAT – Remote Access Trojan allows the threat actors to remotely control the device
    RAT – 远程访问木马允许威胁参与者远程控制设备

  • Spyware – stealing users information and this is the most common one
    间谍软件 – 窃取用户信息,这是最常见的一种

Filesystem Dump 文件系统转储

As usual with forensics, we need to do the filesystem dump or to create an image for it. We can do the same with iOS device, but the device needs to be jailbroken so in a lot of times, this can’t be accomplished and we need to obtain information using other methods.
像往常一样,我们需要进行文件系统转储或为其创建映像。我们可以对iOS设备执行相同的操作,但是该设备需要越狱,因此在很多时候,这无法完成,我们需要使用其他方法获取信息。

ITunes Backup ITunes 备份

If we cannot obtain the image of the device, we should be taking a look at the backups of the device. For that, we can use tools such as idevicebackup2 to create one. When we are crating the backup with the idevicebackup2, we have an option to create encrypted or non-encrypted backup. Encrypted backups provide a lot more coverage and useful artefacts so in forensics situations, we should use them.
如果我们无法获得设备的图像,我们应该查看设备的备份。为此,我们可以使用诸如 idevicebackup2 创建一个之类的工具。当我们使用 idevicebackup2 进行备份时,我们可以选择创建加密或非加密备份。加密备份提供了更多的覆盖范围和有用的伪影,因此在取证情况下,我们应该使用它们。

Sysdiagnose 系统诊断

Sysdiagnose is a utility on most macOS and iOS devices that can be used to gather system-wide diagnostic information. It provides a lot of useful information for forensic investigators, such as running process, installed application and so on.
Sysdiagnose 是大多数 macOS 和 iOS 设备上的实用工具,可用于收集系统范围的诊断信息。它为取证调查人员提供了许多有用的信息,例如运行进程、安装的应用程序等。

Some useful information from sysdiagnose includes:
sysdiagnose 中的一些有用信息包括:

  • Processes 过程

  • Network Info 网络信息

  • Accounts info 帐户信息

  • AirDrop logs AirDrop 日志

To dump the sysdiagnose logs, on macOS we can just execute sysdiagnose as root user.
要转储 sysdiagnose 日志,在 macOS 上,我们只需以 root 用户身份执行 sysdiagnose 即可。

To dump the sysdiagnose on iOS, we hold the combination of keys (holding together Volume Up and Down button along with the Power button) on the iPhone and after a couple of minutes we can download the archive from the Settings -> Privacy & Security -> Analytics & Improvements -> Analytics Data
要在 iOS 上转储 sysdiagnose,我们在 iPhone 上按住键的组合(同时按住音量调高和调低按钮以及电源按钮),几分钟后我们可以从 Settings -> Privacy & Security -> Analytics & Improvements -> Analytics Data

After extracting the archive, we can examine the files inside of there and search for forensics artifacts.
提取档案后,我们可以检查其中的文件并搜索取证文物。

Each of these three methods have their own pros and cons. For example, we can use filesystem dump when we have an access to the jailbroken device, but we could distort some evidences in the process. Backups provide only subset of files from the device which can sometimes be enough to detect some artifacts. Sysdiagnose is the easiest and quickest to get but it provides a smaller amount of files from device than the backup or filesystem dump.
这三种方法中的每一种都有自己的优点和缺点。例如,当我们可以访问越狱设备时,我们可以使用文件系统转储,但我们可能会在此过程中歪曲一些证据。备份仅提供设备中的文件子集,这些文件有时足以检测到某些项目。Sysdiagnose 是最简单、最快捷的获取方法,但它从设备提供的文件量比备份或文件系统转储少。

Indicators Of Compromise (IOCs)
入侵指标 (IOC)

Before we go any further we need to define a couple of things, the first being Indicators of Compromise. Indicators Of Compromise are a bits of data which uniquely identifies the specific piece of malware.
在我们进一步讨论之前,我们需要定义几件事,首先是妥协指标。入侵指标是唯一标识特定恶意软件的数据位。

They can be things such as:
它们可以是以下内容:

  • File traces 文件跟踪

  • Suspicious processes and URLs
    可疑进程和 URL

  • Binary Hashes 二进制哈希

  • Network Traffic 网络流量

  • Provisioning profiles 预配配置文件

  • Trusted certifications 值得信赖的认证

IOCs enable professionals to detect intrusion attempts or other malicious activities. They are also useful when shared with the community so that they can improve their incident response.
IOC 使专业人员能够检测入侵尝试或其他恶意活动。当与社区共享时,它们也很有用,这样它们就可以改进他们的事件响应。

To assist and generalise the idea of IOCs, STIX project was created.
为了协助和推广国际奥委会的理念,创建了STIX项目。

STIX Framework And TAXII
STIX 框架和 TAXII

STIX Framework STIX框架

Structured Thread Information Expression (STIX) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner. STIX framework enhances the capabilities of organisation do defend against cyberattacks.
结构化线程信息表达式 (STIX) 是一种用于描述网络威胁信息的结构化语言,因此可以以一致的方式共享、存储和分析这些信息。STIX框架增强了组织抵御网络攻击的能力。

STIX framework is based on the indicators and the objects such as hash, IP addresses, malware, etc.
STIX 框架基于指标和对象,例如哈希、IP 地址、恶意软件等。

Below is an example of the hash indicator and its malware object:
以下是哈希指示器及其恶意软件对象的示例:

{
   "type": "indicator",
   "spec_version": "2.1",
   "id": "indicator--71312c48-925d-44b7-b10e-c11086995358",
   "created": "2017-02-06T09:13:07.243000Z",
   "modified": "2017-02-06T09:13:07.243000Z",
   "name": "CryptoLocker Hash",
   "description": "This file is a part of CryptoLocker",
   "pattern": "[file:hashes.'SHA-256' = '46afeb295883a5efd6639d4197eb18bcba3bff49125b810ca4b9509b9ce4dfbf']",
   "pattern_type": "stix",
   "indicator_types": ["malicious-activity"],
   "valid_from": "2017-01-01T09:00:00.000000Z"
}
{
    "type": "malware",
    "id": "malware--81be4588-96a8-4de2-9938-9e16130ce7e6",
    "spec_version": "2.1",
    "created": "2017-02-06T09:26:21.647000Z",
    "modified": "2017-02-06T09:26:21.647000Z",
    "name": "CryptoLocker",
    "description": "CryptoLocker is known to hold files hostage for ransom.",
    "malware_types": ["ransomware"]
}

Indicator has a lot of fields, but the most interesting ones are namedescriptionpattern and indicator_typesName and description are self-explanatory, pattern tells what is the pattern to match it, such as hash in the example above, while the indicator_types describe this pattern of SHA256 of the file as malicious activity.
指标有很多字段,但最有趣的字段是 name 、 description 和 pattern indicator_types 。名称和描述是不言自明的,pattern 告诉匹配它的模式是什么,例如上面示例中的 hash,而将 SHA256 文件的这种模式 indicator_types 描述为恶意活动。

Malware object contains information about the file which has a SHA256 identified as CryptoLocker such as name, description and malware type.
恶意软件对象包含有关具有标识为 CryptoLocker 的 SHA256 的文件的信息,例如名称、描述和恶意软件类型。

Following is an excerpt from the mvt-indicators repo for Operation Triangulation.

"objects": [
        {
            "type": "malware",
            "spec_version": "2.1",
            "id": "malware--01e5af02-75fd-44f4-890a-d3b6efee9c64",
            "created": "2023-10-23T15:49:48.089255Z",
            "modified": "2023-10-23T15:49:48.089255Z",
            "name": "OperationTriangulation",
            "description": "IOCs related to Operation Triangulation iOS spyware documented by Kaspersky Labs.",
            "is_family": false
        },
	{
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--c5788b5b-128f-43f2-b5f5-02f8055d4700",
            "created": "2023-10-23T15:49:48.089417Z",
            "modified": "2023-10-23T15:49:48.089417Z",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[domain-name:value='senlin83.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-10-23T15:49:48.089417Z"
        },
	{
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--52da4e9a-3a22-4681-94db-e7ce3ec5b6d5",
            "created": "2023-10-23T15:49:48.09267Z",
            "modified": "2023-10-23T15:49:48.09267Z",
            "relationship_type": "indicates",
            "source_ref": "indicator--c5788b5b-128f-43f2-b5f5-02f8055d4700",
            "target_ref": "malware--01e5af02-75fd-44f4-890a-d3b6efee9c64"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--90a3e899-c7b8-480f-842f-86baf929a3b8",
            "created": "2023-10-23T15:49:48.093005Z",
            "modified": "2023-10-23T15:49:48.093005Z",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[domain-name:value='backuprabbit.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-10-23T15:49:48.093005Z"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--824ac4a8-9fd3-4909-94ea-5f25a2665829",
            "created": "2023-10-23T15:49:48.093516Z",
            "modified": "2023-10-23T15:49:48.093516Z",
            "relationship_type": "indicates",
            "source_ref": "indicator--90a3e899-c7b8-480f-842f-86baf929a3b8",
            "target_ref": "malware--01e5af02-75fd-44f4-890a-d3b6efee9c64"
        }
...

The first object is a malware which contains the name and description which marks it as OperationTriangulation malware. The second object is indicator which is marked as malware-activities and the pattern for it is that the domain name is senlin83.com. The third object is a relationship object which binds together these two (malware and indicator), meaning that the indicator with domain name snlin83.com indicates the malware OperationTriangulation. Following that, we can see another indicator which just like the first indicator contains the domain name backuprabbit.com. Finally, we have another relationship which combines together the previous indicator and the malware and indicates that the indicator with domain name backuprabbit.com indicates OperationTriangulation malware.
第一个对象是 malware 包含将其标记为 OperationTriangulation 恶意软件的名称和描述。第二个对象是标记为 的 malware-activities 对象,其模式是 indicator 域名为 senlin83.com 。第三个对象是将这两者(恶意软件和指示器)绑定在一起的 relationship 对象,这意味着带有域名的指示器 snlin83.com 表示恶意软件 OperationTriangulation 。之后,我们可以看到另一个指标,就像第一个指标一样,它包含 域名 backuprabbit.com .最后,我们还有另一种关系,它将前一个指标和恶意软件组合在一起,并指示带有域名的指标 backuprabbit.com 表示 OperationTriangulation 恶意软件。

STIX is an extensive framework and it takes a bit time to get familiar with it. STIX is designed to be shared via TAXII.
STIX 是一个广泛的框架,需要一些时间来熟悉它。STIX旨在通过TAXII共享。

TAXII 出租车

Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI (Cyber Thread Intelligence) over HTTPS. It is a protocol that allows sharing STIX files between organisations.
可信情报信息自动交换 (TAXII) 是一种通过 HTTPS 交换 CTI(网络线程情报)的应用协议。它是一种允许在组织之间共享 STIX 文件的协议。

Even though, the STIX and TAXII are independent frameworks, when used together they form a powerful framework for sharing and using threat intelligence.
尽管 STIX 和 TAXII 是独立的框架,但当它们一起使用时,它们会形成一个强大的框架,用于共享和使用威胁情报。

Main two concepts in TAXII are the collection and the channel. A collection is a set of STIX packages organised and managed by the single entity, such as a security vendor or a government agency. A channel allows organizations to access a specific collection, such as through API, file exchange, or threat intelligence platform. A channel allows user to push data to multiple consumers.
TAXII 中的两个主要概念是集合和通道。集合是由单个实体(如安全供应商或政府机构)组织和管理的一组 STIX 包。通道允许组织访问特定集合,例如通过 API、文件交换或威胁情报平台。通道允许用户将数据推送给多个消费者。

Using STIX and TAXII can improve the threat intelligence sharing as it provides the common language for the organizations to share and exchange threat intelligence and because the data is in the standard format it can improve threat detection and response. Additionally, using STIX/TAXII ensures that the intelligence data is consistent and accurate.
使用 STIX 和 TAXII 可以改善威胁情报共享,因为它为组织提供了共享和交换威胁情报的通用语言,并且由于数据采用标准格式,因此可以改进威胁检测和响应。此外,使用 STIX/TAXII 可确保情报数据的一致性和准确性。

Indicators Of Compromise Repositories
入侵存储库的指示器

Good thing to do is to take a look at indicators of compromise for malware. This can prove a valuable learning lesson as we can see what are some traces that the malware leaves behind and what should we search for.
好办法是查看恶意软件的入侵指标。这可以证明是一个宝贵的学习教训,因为我们可以看到恶意软件留下了哪些痕迹以及我们应该搜索什么。

We have a couple option from where we can download and view IOCs, such as:
我们有几个选项可以从中下载和查看 IOC,例如:

Analysing Backup Or A Filesystem Dump
分析备份或文件系统转储

After we have obtained either an image or the backup, we need to analyse it. To analyse the backup, we can use tools such as mvt created by the Amnesty International Security Lab or analysing files manually by using tools such as the ones provided inside of libimobiledevice
在获得映像或备份后,我们需要对其进行分析。要分析备份,我们可以使用国际特赦组织安全实验室创建的 mvt 等工具,或者使用内部 libimobiledevice 提供的工具手动分析文件.

Mobile Verification Toolkit allows us to extract artifacts from either filesystem dump or iTunes backup, decrypting backup or checking Indicators Of Compromise (IOC).
Mobile Verification Toolkit 允许我们从文件系统转储或 iTunes 备份中提取工件,解密备份或检查入侵指标 (IOC)。

Mobile Verification Toolkit is a collection of utilities designed for the purpose of identifying any signs of compromise.
Mobile Verification Toolkit 是一组实用程序,旨在识别任何入侵迹象。

Key features of the mvt are:
MVT的主要特点是:

  • Decrypting encrypted backups
    解密加密备份

  • Processing and parsing records from numerous iOS system and apps databases, logs and system analytics
    处理和解析来自众多 iOS 系统和应用程序数据库、日志和系统分析的记录

  • Compare extracted records to malicious indicators in STIX2 format
    将提取的记录与 STIX2 格式的恶意指标进行比较

  • Generating JSON logs of extracted records and JSON logs of all detected malicious traces
    生成提取记录的 JSON 日志和所有检测到的恶意跟踪的 JSON 日志

  • Generating a unified chronological timeline of extracted records
    生成按时间顺序提取的记录的统一时间线

Interesting Files On IOS
IOS上的有趣文件

A lot of files exists on iOS that are useful for iOS forensics. Some of them are:
iOS 上存在许多对 iOS 取证有用的文件。其中一些是:

  • databases in /private/var/Keychains/Analytics/ – data about networking, certificate pinning, TLS, etc
    数据库中 /private/var/Keychains/Analytics/ – 有关网络、证书固定、TLS 等的数据

  • Calendar.sqlitedb may contain interesting mail addresses
    Calendar.sqlitedb 可能包含有趣的邮件地址

  • CallHistory.storedata contains information of incoming and outgoing calls, including messaging applications such as WhatsApp
    CallHistory.storedata 包含来电和去电的信息,包括 WhatsApp 等消息传递应用程序

  • com.apple.identityservices.idstatuscache.plist – contains cache of Apple user ID authentications which may be useful to get information when apps such as iMessage first established contacts with other registered Apple IDs
    com.apple.identityservices.idstatuscache.plist –包含Apple用户ID身份验证的缓存,当iMessage等应用程序首次与其他注册的Apple ID建立联系时,这可能可用于获取信息

  • AddressBook.sqlitedb – contains information about the phone’s address book
    AddressBook.sqlitedb – 包含有关手机通讯录的信息

  • Shortcuts.sqlite – contains records about the Shortcuts application; can be useful because app may be abused by spyware to obtain persistence
    Shortcuts.sqlite – 包含有关快捷方式应用程序的记录;可能很有用,因为应用程序可能会被间谍软件滥用来获取持久性

  • com.apple.osanalytics.addaily.plist – contains history of data usage by processes which is useful to gain traces of malicious process executions and relevant timeframes
    com.apple.osanalytics.addaily.plist –包含进程的数据使用历史记录,可用于获取恶意进程执行和相关时间范围的跟踪

  • DataUsage.sqlite – contains information about the network usage by processes. This database does not log WiFi connections
    DataUsage.sqlite – 包含有关进程网络使用情况的信息。此数据库不记录 WiFi 连接

  • netusage.sqlite – like the previous two instances, this one also contains data usage by processes
    netusage.sqlite – 与前两个实例一样,这个实例也包含进程的数据使用情况

  • BrowserState.db – contains record of opened tabs in Safari
    BrowserState.db – 包含Safari中打开的选项卡的记录

  • /private/var/mobile/Library/Image Cache/Favicons/Favicons.db or /private/var/mobile/Containers/Data/Application/*/Library/Image Cache/Favicons/Favicons.db – contains mapping between Favicons URLs and the URLs which loaded them
    /private/var/mobile/Library/Image Cache/Favicons/Favicons.db 或 /private/var/mobile/Containers/Data/Application/*/Library/Image Cache/Favicons/Favicons.db – 包含网站图标 URL 与加载它们的 URL 之间的映射

  • /private/var/mobile/Library/Safari/History.db or /private/var/mobile/Containers/Data/Application/*/Library/Safari/History.db – contains history of visited URL by Safari
    /private/var/mobile/Library/Safari/History.db 或 /private/var/mobile/Containers/Data/Application/*/Library/Safari/History.db – 包含 Safari 访问的 URL 的历史记录

  • sms.db – contains SMS messages
    sms.db – 包含短信

  • TCC.db – contains information about TCC (which apps have which services, such as microphone, camera, etc.)
    TCC.db – 包含有关 TCC 的信息(哪些应用程序具有哪些服务,例如麦克风、摄像头等)

History 历史

Uygures Campaign 维吾尔族运动

In 2019, Google Project Zero revealed a chain of exploits that lead to the compromise of iOS devices from version 10 all the way to 12 and the initial entry point exploits were browser exploits (Safari). You can read full analysis on the Google Project Zero post (https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html)
2019 年,Google Project Zero 揭示了一系列漏洞利用,导致 iOS 设备从版本 10 一直到 12 版本遭到破坏,最初的入口点漏洞是浏览器漏洞 (Safari)。您可以在 Google Project Zero 帖子 (https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html) 上阅读完整分析

Pegasus V2 飞马V2

In 2021, Citizen Lab has revealed how FORCEDENTRY (CVE-2021-30860) vulnerability was used to exploit the device and deliver Pegasus. Pegasus is a spyware developed by the NSO. The FORCEDENTRY was zero-click exploit against iMessage. The vulnerability was present in parsing of GIF images. More information is available in the post of Citizen Lab (https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/) and analysis on the Google Project Zero (https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html).
2021 年,Citizen Lab 揭示了 FORCEDENTRY (CVE-2021-30860) 漏洞如何被用来利用该设备并交付 Pegasus。Pegasus 是由 NSO 开发的间谍软件。FORCEDENTRY 是针对 iMessage 的零点击攻击。该漏洞存在于解析 GIF 图像时。更多信息可在 Citizen Lab (https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/) 的帖子和对 Google Project Zero (https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html) 的分析中找到。

Hermit 隐士

In 2022, Google Project Zero wrote about CVE-2021-30983 which was a fake carrier application. It contained six different privilege escalation exploits, five of these were well-known exploits for older versions of iOS, while the sixth one was related to the DCP (Display Co-Processor) which contains most of the display drivers. All iPhones above iPhone 12, including it, as well as, all M1 are using DCP.
2022 年,Google Project Zero 写了一篇关于 CVE-2021-30983 的文章,这是一个虚假的运营商应用程序。它包含六种不同的权限升级漏洞,其中五种是旧版本iOS的众所周知的漏洞,而第六种则与包含大多数显示驱动程序的DCP(显示协处理器)有关。iPhone 12 以上的所有 iPhone,包括它,以及所有 M1 都在使用 DCP。

Reign 统治

In 2023, Citizen Lab wrote about ENDOFDAYS exploit which was used to deliver QuaDream’s spyware known as Reign. QuaDreams is an Israeli company which is similar to NSO company in the way they operate. The entry point was obtained by abusing XML parsing of data inside of database for iCloud calendar. More information about this is available https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/
2023 年,Citizen Lab 撰写了关于 ENDOFDAYS 漏洞的文章,该漏洞用于交付 QuaDream 的间谍软件,称为 Reign。QuaDreams是一家以色列公司,其运营方式与NSO公司相似。入口点是通过滥用 iCloud 日历数据库内数据的 XML 解析获得的。有关此内容的更多信息,https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/

Pegasus V3 飞马V3

In 2023, Citizen Lab revealed yet another instance of Pegasus which was using PWNYOURHOME exploit. PWNYOURHOME exploit was two-step zero-click exploit which targets HomeKit in the first step and iMessage in the second step. This exploit was used against iOS 15 and 16. Additionally, they have identified FINDMYPWN exploit which was deployed against iOS 15 in which the first step targets Find My feature, while the second one targets iMessage like PWNYOURHOME. More information about PWNYOURHOME and FINDMYPWN can be seen on the Citizen Lab post (https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/).
2023 年,Citizen Lab 揭示了另一个使用 PWNYOURHOME 漏洞利用的 Pegasus 实例。PWNYOURHOME漏洞利用是两步零点击漏洞利用,第一步针对HomeKit,第二步针对iMessage。此漏洞用于 iOS 15 和 16。此外,他们还发现了针对 iOS 15 部署的 FINDMYPWN 漏洞,其中第一步针对“查找我的”功能,而第二步针对 PWNYOURHOME 等 iMessage。有关 PWNYOURHOME 和 FINDMYPWN 的更多信息,请参见 Citizen Lab 帖子 ( https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/.

Operation Triangulation 三角测量操作

In 2023, Kaspersky wrote about Operation Triangulation. Like a couple of previous exploits, this one was exploiting iMessage. It also prevents the iOS updates to happen.
2023 年,卡巴斯基写了一篇关于三角测量行动的文章。与之前的几个漏洞一样,这个漏洞利用了iMessage。它还可以防止iOS更新的发生。

Pegasus V4 飞马V4

In September of 2023, Citizen Lab has written a post about BLASTPASS exploit which was targeting latest iOS at time (16.6) without any user interaction. The exploit was abusing parsing attachments inside of PassKitBLASTPASS is described in Citizen Lab post (https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/).
2023 年 9 月,Citizen Lab 写了一篇关于 BLASTPASS 漏洞利用的文章,该漏洞在没有任何用户交互的情况下针对最新的 iOS (16.6)。该漏洞滥用了 PassKit 内部的解析附件。BLASTPASS在Citizen Lab帖子(https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/)中进行了描述。

Attack Surfaces 攻击面

As we can see, attack surfaces differentiate a lot. We can see that the known exploits were mostly targeting iMessage and HomeKit. However, other methods were abused such as PassKit in the BLASTPASS, Find My feature in Pegasus and Safari exploits in Uygures campaign.
正如我们所看到的,攻击面有很大的不同。我们可以看到,已知的漏洞主要针对iMessage和HomeKit。然而,其他方法也被滥用,例如 BLASTPASS 中的 PassKit、Pegasus 中的“查找我的”功能和维吾尔战役中的 Safari 漏洞。

Downloading Samples 下载示例

Sometimes it is not possible to extract or we can get only minimum amount of artifacts due to the malware cleaning-up their tracks. For example, in the case of ENDOFDAYS malware deletes the events from the calendar which was the entry point to the system. We can download malware samples to learn and analyze malware from places such as Malware Bazaar and vx-underground
有时无法提取,或者由于恶意软件清理其踪迹,我们只能获得最少量的伪影。例如,在 ENDOFDAYS 恶意软件的情况下,从日历中删除事件,该日历是系统的入口点。我们可以下载恶意软件样本,以从Malware Bazaar和vx-underground等地方学习和分析恶意软件.

Mobile Malware Analysis Part 4 – Intro To IOS Malware Detection

Conclusion 结论

This marks the end of the first blog about the iOS malware detection. We have learned the different methods of obtaining forensics artefacts, such as filesystem dump, backup as well as sysdiagnose and their pros and cons. Additionally, we went briefly over the STIX and TAXII frameworks and what is their power. We have covered Indicators of Compromise and some places where we can find them along with some useful iOS files.
这标志着关于iOS恶意软件检测的第一篇博客的结束。我们已经了解了获取取证工件的不同方法,例如文件系统转储、备份以及 sysdiagnose 及其优缺点。此外,我们还简要介绍了 STIX 和 TAXII 框架以及它们的功能。我们已经介绍了妥协指标以及一些可以找到它们的地方以及一些有用的iOS文件。

In the next blog post we will practically inject malware into the device and analyze it.
在下一篇博文中,我们将实际将恶意软件注入设备并对其进行分析。

 

原文始发于8ksecresearch:Mobile Malware Analysis Part 4 – Intro To IOS Malware Detection

版权声明:admin 发表于 2023年11月27日 下午6:18。
转载请注明:Mobile Malware Analysis Part 4 – Intro To IOS Malware Detection | CTF导航

相关文章

某传奇游戏登录器劫持分析
admin
898
생일 축하 내용으로 위장한 악성 한글 문서 (OLE 개체)
admin
506
玩家请注意!传奇私服正携带病毒劫持网络流量 火绒安全已拦截
admin
783
Mobile Malware Analysis Part 6 – Xenomorph
admin
28
技术实践|勒索病毒防御削弱技术对抗研究
admin
56
利用XLL文件投递Qbot银行木马的钓鱼活动分析
admin
374

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

近期使用“银狐”黑产工具针对财税人员的大规模攻击活动分析
0
假死疑云:Wpeeper木马所图为何?
0
2024腾讯游戏安全大赛-安卓赛道决赛VM分析与还原
0
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
0
Sifting through the spines: identifying (potential) Cactus ransomware victims
0
二次注入简单介绍
0
[系统安全] 五十八.恶意软件分析 (10)利用火绒安全实现恶意样本家族批量标注(含学术探讨)
0
CIA组织MikroTik软路由攻击场景复现及后门加解密剖析
0
竟敢冒充国家级黑客组织!亚信安全还原攻击事件真实面貌
0
VM逆向,一篇就够了
0