Malware News Advanced Mobile Malware Campaign in India uses Malicious MDM

[silversurfer]

Content source

https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.

An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.

The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.

[...] Cisco's Talos Intelligence Group Blog: Advanced Mobile Malware Campaign in India uses Malicious MDM

 

[upnorth]

Thanks to the logs located on the MDM servers and the malware's command and control (C2) server, we were able to determine that the malware has been in use since August 2015. The campaign targeted only a few select devices (13) that are all located in India. The attacker left essential data on the servers, such as emails and usernames. As part of the attacker's development and testing it appears that they compromised their device — we observed a device named "test" or "mdmdev." The log files we identified contain the phone number of the device. The number originates from India and uses the "Vodafone India" network with roaming capability disabled. With all of this information in mind, we assume with high confidence that the malware author works out of India.

13 iPhone devices and from 2015. I'm curious what kind of target. Private company or the government, military.

Thanks for the share @silversurfer

 

[silversurfer]

Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2

Since our initial post on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices.

Cisco's Talos Intelligence Group Blog: Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2

 

[yitworths]

To my understanding, the hacker is gathering infos by this 'so-called' attack which is most likely a social engineering. If he/she is gathering infos remotely then for sure there must have to be an active server which is/was interacting with those compromised devices. Why still that server couldn't be identified? I mean in detail, obviously researcher can get domain's name or nameserver. & if it's a case of social engineering, then the captive portal is most likely to occur & that hacker must have to be very close to the target (I'm considering it's on-air attack). Can't anyone of those victim remember where(at what place) anything awkward happens to their devices? I still don't understand why so low amount of devices were targeted. Anyhow, very awkward attack...this attack technique ain't new but the situation is. I'm still baffled... & if those devices were compromised because of device owner's stupidity, then I just hope in future there will be some patch for human stupidity:emoji_fingers_crossed:.