Analysis of an Info Stealer — Chapter 2: The iOS App

Introduction 介绍

This is the second part of the article series: “Analysis of an Info Stealer”. In this chapter, I will analyze the iOS info stealer app, which was delivered through the phishing website discussed in the preceding article. If you haven’t had the chance to read the first article and you are curious about the distribution methods of this malicious app, you can catch up by reading it here:
这是系列文章的第二部分:“信息窃取者的分析”。在本章中,我将分析 iOS 信息窃取应用程序,该应用程序是通过上一篇文章中讨论的网络钓鱼网站提供的。如果您还没有机会阅读第一篇文章,并且对这个恶意应用程序的分发方法感到好奇,您可以在此处阅读:

Preface 前言

Reversing an iOS app presents its own set of challenges, distinguishing itself from the process of reversing an Android app (that is definitely easier for a variety of factors). In light of this distinction, I decided to create this article with a twofold objective:
反转 iOS 应用程序会带来一系列挑战,将自己与反转 Android 应用程序的过程区分开来(对于各种因素来说,这绝对更容易)。鉴于这种区别,我决定创建这篇文章,有两个目标:

  • To continue the analysis of this malicious campaign and examine the entire attack chain.
  • But also to explain some basics and share some ‘tricks’ I use to speed up and improve the efficiency of iOS app analysis

Technical Analysis 技术分析

In the previous chapter, I showed the iOS app download process, highlighting the specific use of an enterprise certificate. This certificate is installed before downloading the .ipa file and is used by threat actors to verify the legitimacy of the app.
在上一章中,我展示了 iOS 应用的下载过程,重点介绍了企业证书的具体用法。此证书在下载 .ipa 文件之前安装,并由威胁参与者用于验证应用程序的合法性。

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 1 — Malicious app verified using an enterprise certificate
图 1 — 使用企业证书验证的恶意应用程序

Now that the malicious app has been installed on the iPhone, the initial step is to dump the .ipa file with frida dump in order to start the static analysis.
现在恶意应用程序已安装在 iPhone 上,第一步是使用 frida dump 转储 .ipa 文件,以便开始静态分析。

“A .ipa file is an iOS and iPadOS application archive file which stores an iOS/iPadOS app. Files with the .ipa extension can be uncompressed by changing the extension to .zip and unzipping.”
“.ipa 文件是一个 iOS 和 iPadOS 应用程序存档文件,用于存储 iOS/iPadOS 应用程序。扩展名为.ipa的文件可以通过将扩展名更改为.zip并解压缩来解压缩。

Static Analysis 静态分析

After downloading and unzipping the .ipa file, the observed structure in Figure 2 (on the left) reveals the main files for analysis. Specifically, I will focus on:
下载并解压缩 .ipa 文件后,图 2(左侧)中观察到的结构显示了用于分析的主要文件。具体来说,我将重点关注:

  • Info.plist file that stores settings and other data in a key-value format (Figure 2 — on the right)
    Info.plist 文件,以键值格式存储设置和其他数据(图 2 — 右侧)
  • viewer file, that is the Mach-O (Mach-Object) executable, which is a native format for executables on macOS and iOS. The following file contains the code of the app.
    查看器文件,即 Mach-O (Mach-Object) 可执行文件,它是 macOS 和 iOS 上可执行文件的本机格式。以下文件包含应用的代码。
Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 2 — .ipa file structure (on the left) and the content of the Info.plist (on the right)
图 2 — .ipa 文件结构(左侧)和 Info.plist 的内容(右侧)

The Info.plist file provides valuable information, including:
Info.plist 文件提供了有价值的信息,包括:

  • CFBundleDisplayName: Telegram Viewer is the user-visible name of the bundle, visible on the Home screen in iOS
    CFBundleDisplayName: Telegram Viewer 是捆绑包的用户可见名称,在 iOS 的主屏幕上可见
  • CFBundleExecutable: viewer is the name of the bundle’s executable file.
    CFBundleExecutable: viewer 是捆绑包的可执行文件的名称。
  • CFBundleIdentifier: com.cafe24.viewer is an identifier string that specifies the app type of the bundle
    CFBundleIdentifier: com.cafe24.viewer 是一个标识符字符串,用于指定捆绑包的应用类型
  • CFBundleSupportedPlatforms: iPhoneOS specifies the platforms for which the app is designed to run.
    CFBundleSupportedPlatforms: iPhoneOS 指定应用设计为运行的平台。
  • MinimumOSVersion: 14.0 specifies the minimum version of the operating system required to run the app.
    MinimumOSVersion: 14.0 指定运行应用所需的操作系统的最低版本。
  • NSContactsUsageDescription: "" specifies a message that tells the user why the app is requesting access to the user’s contacts. When the app is launched, users can anticipate a prompt seeking permission to access contacts on their iPhone.
    NSContactsUsageDescription: "" 指定一条消息,告知用户应用请求访问用户联系人的原因。当应用程序启动时,用户可以预期一个提示,寻求访问其 iPhone 上的联系人的权限。

In the context of iOS app development, the “CF” prefix stands for “Core Foundation.” Core Foundation is a C-based framework in the macOS and iOS operating systems that provides fundamental data types and services for macOS and iOS applications. The “NS” prefix typically stands for “NextStep,” which refers to the original name of the framework that evolved into Cocoa, the primary application framework on macOS and iOS. Keys with the “NS” prefix are often related to various configurations and permissions.
在 iOS 应用开发的上下文中,“CF”前缀代表“Core Foundation”。Core Foundation 是 macOS 和 iOS 操作系统中基于 C 的框架,为 macOS 和 iOS 应用程序提供基本数据类型和服务。“NS”前缀通常代表“NextStep”,它指的是演变为 Cocoa 的框架的原始名称,Cocoa 是 macOS 和 iOS 上的主要应用程序框架。带有“NS”前缀的密钥通常与各种配置和权限有关。

To analyze the viewer file, I utilized Ghidra. Prior to delving into the code analysis, I used a Ghidra script developed by Laurie Wired, named “”. This script helps improve code readability and simplifies Swift code, making it more accessible for in-depth examination. (If you have been dealing with reverse C++ code, you have most likely already used the demangling feature).
为了分析查看器文件,我使用了 Ghidra。在深入研究代码分析之前,我使用了 Laurie Wired 开发的 Ghidra 脚本,名为“”。此脚本有助于提高代码的可读性并简化 Swift 代码,使其更易于深入检查。(如果您一直在处理反向 C++ 代码,那么您很可能已经使用了去缩功能)。

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 3 — Comparison between “normal” and demangled decompiled code
图 3 — “正常”解编译代码和解纠编译代码之间的比较

Since the amount of code inside Ghidra is quite huge, strings are a good starting point to begin the static analysis. From the analysis of the Info.plist file we have seen that the app would access the user’s contacts, so the “phone” string is a good candidate.
由于 Ghidra 中的代码量非常大,因此字符串是开始静态分析的良好起点。通过对 Info.plist 文件的分析,我们看到该应用程序将访问用户的联系人,因此“phone”字符串是一个很好的候选者。

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 4— String search inside Ghidra
图 4 — Ghidra 中的字符串搜索

Starting from this function (Figure 4) and using the “Find References to” feature of Ghidra, it is possible to identify what should be the “core” function of the malware: FUN_1000111e4(void) ; so let’s break it down.
从这个函数(图 4)开始,并使用 Ghidra 的“查找引用”功能,可以确定恶意软件的“核心”功能: FUN_1000111e4(void) ;因此,让我们分解一下。

  • The CNContactStore object represents the user’s contacts store database, and you use it to fetch information from that database and save changes back to it.
    该对象表示用户的联系人存储数据库,您可以使用它从该数据库中获取信息并将更改保存回该 CNContactStore 数据库中。
  • authorizationStatusForEntityType returns the current authorization status to access the contact data.
    authorizationStatusForEntityType 返回访问联系人数据的当前授权状态。
Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 5 — Code of FUN_1000111e4 function
图 5 — 代码 FUN_1000111e4 function

With these two lines of code, the malware checks whether it has access to the user’s contacts, verifying if the required permission was granted during the app’s launch.

Going down a little bit in the code (Figure 6), it is possible to observe that:
在代码中稍微往下看(图 6),可以观察到:

  • CNContactStore see above  CNContactStore 见上文
  • PTR__CNContactFamilyNameKey , PTR__CNContactGivenNameKey , PTR__CNContactPhoneNumberKey appear to be pointers to an object that represents the familyName key, the givenName key and the phoneNumber key in theCNContact object.
    PTR__CNContactFamilyNameKey 、 PTR__CNContactGivenNameKey 似乎是 PTR__CNContactPhoneNumberKey 指向对象的指针,该对象表示对象 CNContact 中的 familyName 键、givenName 键和 phoneNumber 键。
  • CNContactFetchRequest is an object that defines the options to use when fetching contacts.
    CNContactFetchRequest 是一个对象,用于定义获取联系人时要使用的选项。
  • initWithKeysToFetch creates a fetch request for the specified keys.
    initWithKeysToFetch 为指定的键创建提取请求。
Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 6— Fetching contacts data code
图 6— 获取联系人数据代码

In summary, this piece of code is fetching contacts data from the CNContactStore object, and storing the result in a variable.
总之,这段代码是从对象中获取联系人数据,并将结果存储在变量中 CNContactStore 。

Another interesting string to search is “https://” in order to get the Command and Control (C2) server’s URL but also other details such as the paths used, the parameters, etc.
另一个有趣的搜索字符串是“https://”,以便获取命令和控制 (C2) 服务器的 URL,以及其他详细信息,例如使用的路径、参数等。

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 7— String search inside Ghidra
图 7 — Ghidra 中的字符串搜索

In fact, analyzing the code, the following information can be extracted:

  • The URL of the C2 server is: https:]api.]telegraming.]pro
    C2 服务器的 URL 为: https:]api.]telegraming.]pro
  • The paths used are: getregistertoken and getuploadtoken
    使用的路径包括: getregistertoken 和 getuploadtoken
  • The Alamofire library is used to manage the HTTP communication. This information can also be obtained by looking at the huge amount of references within the code or through Ghidra’s “Simbol Tree” window.
    Alamofire库用于管理 HTTP 通信。这些信息也可以通过查看代码中的大量引用或通过 Ghidra 的“Simbol Tree”窗口获得。
Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 8 — Alamofire library
图 8 — Alamofire 库

Dynamic Analysis 动态分析

With an overview of the malware’s functionality gained from static analysis, let’s proceed to the dynamic analysis using FridaObjection and Burp, aiming to further analyze:
通过概述从静态分析中获得的恶意软件功能,让我们继续使用 Frida、Objection 和 Burp 进行动态分析,旨在进一步分析:

  • how the malware works “in action”
  • which directories and files are used
  • the network traffic 网络流量

When launching the “TelegramViewer” app, users are presented with a prompt seeking permission to access contacts, a behavior anticipated based on the earlier static analysis conducted.

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 9 — Launching of the malicious app
图 9 — 启动恶意应用程序

If the user allows permission, they are then prompted to enter a phone number and is shown a button labeled “Open Album.” It is worth noting that the use of the term “album” in this context could possibly be attributed to a copy-and-paste error, particularly when considering the distribution of other apps masquerading as secret album management apps.

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 10 — Malicious app “in action”
图 10 — 恶意应用程序“在运行”

However once the button is pressed, the following POST requests are made:
但是,一旦按下该按钮,就会发出以下 POST 请求:

  • /getregistertoken : the network, iphone model, victim phone number and iOS version are sent to the C2 server
    /getregistertoken :将网络、iphone型号、受害手机号、iOS版本发送到C2服务器
  • /getuploadtoken : for each POST request the data of a contact saved on the device are sent. In particular the: first name, last name and phone number (as analyzed in the static analysis section)
    /getuploadtoken :对于每个 POST 请求,都会发送保存在设备上的联系人数据。特别是:名字、姓氏和电话号码(如静态分析部分所述)
Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 11 — Data sent to the C2 server
图11 — 发送到C2服务器的数据

Another way to intercept communications and/or extract useful information is through Frida. In particular, frida-trace is very useful for dynamic tracing of method calls. For instance, in this case, we are aware that the app utilizes Alamofire to handle communication. By using the following command, we can trace some methods of this library.
拦截通信和/或提取有用信息的另一种方法是通过弗里达。特别是, frida-trace 对于方法调用的动态跟踪非常有用。例如,在本例中,我们知道该应用程序利用 Alamofire 来处理通信。通过使用以下命令,我们可以跟踪该库的一些方法。

frida-trace -U "Telegram Viewer" -m "-[Alamofire.SessionDelegate URLSession*]."

The -m option is used to filter the methods that will be traced. It allows you to specify a method signature pattern to match against. In this case, the pattern is "-[Alamofire.SessionDelegate URLSession*].", indicating that the trace should include methods of the Alamofire.SessionDelegate class that start with URLSession.
该 -m 选项用于筛选将要跟踪的方法。它允许您指定要匹配的方法签名模式。在本例中,模式为 "-[Alamofire.SessionDelegate URLSession*]." ,指示跟踪应包含以 URLSession 开头的 Alamofire.SessionDelegate 类的方法。

After running the command and the malicious app, Frida will auto-generate multiple JavaScript files within a directory called __handlers__ . These scripts serve as a solid starting point for editing and generating the necessary information as output.
运行命令和恶意应用程序后,Frida 将在名为 __handlers__ .这些脚本是编辑和生成必要信息作为输出的坚实起点。

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 12 — Example of output of modified __handlers__ script
图 12 — 修改后的 __handlers__ 脚本的输出示例

Lastly, another interesting tool to use during dynamic analysis is Objection, which can be utilized, for instance, to retrieve pertinent directories associated with the app by using the env command. This will print out the locations of the applications LibraryCaches and Documents directories. Although in some cases it is possible to retrieve interesting files and data, in this case I did not find any useful information 🙁
最后,在动态分析期间使用的另一个有趣的工具是 Objection,例如,可以使用该 env 命令检索与应用程序关联的相关目录。这将打印出应用程序库、缓存和文档目录的位置。尽管在某些情况下可以检索有趣的文件和数据,但在这种情况下,我没有找到任何有用的信息:(

Analysis of an Info Stealer — Chapter 2: The iOS App
Figure 13 — Objection “env” command output
图13 — 异议“env”命令输出

Conclusions 结论

In conclusion, the analysis of the iOS info stealer app, discovered through the phishing website outlined in the previous article, has unveiled how this malware is able to steal the contacts and other personal information from the infected iPhone of the victims.
总之,通过上一篇文章中概述的网络钓鱼网站发现的对 iOS 信息窃取应用程序的分析揭示了该恶意软件如何能够从受感染的 iPhone 中窃取受害者的联系人和其他个人信息。

Lastly, I hope you’ll find this short article useful as a starting point to analyze an iOS malware app. Stay tuned for the next article!
最后,我希望您会发现这篇简短的文章可以作为分析 iOS 恶意软件应用程序的起点。敬请期待下一篇文章!

Indicators of Compromise (IOCs)
入侵指标 (IOC)

File Name: Telegram Viewer.ipa
Md5: 660ccad4b26abc543e64fe2319ae5771

iOS Mach-O Binary Name: viewer
Md5: 47f2c25499473a82348d1a1568c6b591

C2 Server: https:]//api.]telegraming.]pro

原文始发于Fr4:Analysis of an Info Stealer — Chapter 2: The iOS App

版权声明:admin 发表于 2024年1月13日 下午12:21。
转载请注明:Analysis of an Info Stealer — Chapter 2: The iOS App | CTF导航