5 February 2015

Trend Micro warns iOS users about Operation Pawn Storm

An alert from Trend Micro has identified an active economic and political cyber-espionage operation called Operation Pawn Storm (OPS). It says OPS targets a wide range of entities, like the military, governments, defense industries, and the media. 

The operation uses three known attack vectors: spear phishing emails, a network of phishing websites that use typo-squatted domains (editor's note: links that are very similar to well-known website links and which could be typed by mistake, such as micrsoft.com), and malicious iframes injected into legitimate websites. 

The actors of Pawn Storm are so called as they tend to target a lot of pawns in the hopes they come close to their actual high-profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware. Trend Micro has also discovered an interesting poisoned pawn—spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack.

It is believed the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware Trend Micro found for Microsoft Windows’ systems. Two malicious iOS applications were found in OPS. One is called XAgent and the other one uses the name of a legitimate iOS game, MadCap. 

Source: Trend Micro.
XAgent is designed to work specifically with iOS7, which is still on one of every five iPhones and iPads. IOS 8 users will see multiple notifications that the phone is trying to install an app, and it cannot run without the user launching the app. Both tools have the ability to record audio, which suggests the targeting of offline and confidential information.

Following analysis, Trend Micro concluded that both are applications related to SEDNIT – which is spyware that aims to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. Some of the data theft capabilities include:

· Collecting text messages, contact lists, pictures and geo-location data

· Starting voice recording

· Getting lists of installed apps, processes

· Recording the Wi-Fi status

There may also be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.

More information on the malware can be found on Trend Micro’s blog