01:45 PM
Connect Directly

WireLurker: A New Age In Mac OSX, iOS Malware

WireLurker authors are likely independent individuals based in China who are Mac development experts and cybercrime amateurs.

Individuals just beginning to dabble in cybercrime are ushering in a new age of iOS and Mac OSX malware, according to research released Wednesday by Palo Alto Networks. The new malware, dubbed WireLurker, has been in active development for months, has infected probably hundreds of thousands of OSX and iOS devices, but has not yet done any real damage.

The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.

The WireLurker attackers seem to have been fiddling with the malware without a coherent plan of attack in place. The only data they ever extracted was information to help distribute the malware -- device IDs and contact lists, not SMS message content or other sensitive data. They didn't employ some basic cybercrime best practices -- like obfuscation and encrypting command-and-control traffic -- until version 3.

Nevertheless, they created a threat unlike anything Mac users have had to contend with before.

The attackers Trojanized 467 OSX apps on the Maiyadi App Store, a third-party Mac app store in China that's particularly good at stocking pirated software. Palo Alto estimates that "almost all" of the Mac apps uploaded to Maiyadi between April 30 and June 11 were infected with WireLurker. Olson says Maiyadi was abused but not compromised; the attackers themselves most likely infected the applications and uploaded them themselves, instead of somehow infecting apps that had been uploaded by others. All told, those Trojanized apps were downloaded more than 356,000 times.

Though WireLurker does infect OSX laptop and desktop machines, the ultimate target seems to be iOS devices. When the two are connected through USB, the OSX machine will look for certain apps on the iOS device and pull them on to the OSX machine, which replaces certain components of that app with malware and pushes it back to the iOS device. This is only the second malware that attacks iOS through OSX via USB, and it is the first to automate generation of malicious iOS apps through this binary file replacement tactic.

One of the newer versions of WireLurker infects iOS in a way that is "weird by any account," says Olson. Apple has an enterprise provisioning system that businesses can use to develop proprietary applications and distribute them through their company machines without having to go through the App Store. The third version of WireLurker was able to "infect" non-jailbroken iOS devices with an app that was signed with an Apple enterprise provisioning certificate -- but it wasn't malware. It was a legitimate app from a comic book company.

"So this was probably a test," says Olson, and the next step would be to deploy a malicious or infected certified application. In the meantime, Apple has revoked the cert, but WireLurker has proven that non-jailbroken iPhones can be infected in this manner.

The importance of WireLurker is not WireLurker specifically but that "the use of all these techniques... is really new and different for Mac," Olson says. Nevertheless, "I don't think this is going to be a huge widespread problem." Apple is still largely protected by the tight control it has over its app stores, "but they're not immune."

As for who created WireLurker, Palo Alto's best guess is that this is one individual or a small group of individuals operating within China, independently of any nation-state. They could be a startup malware house, so to speak, in the new financially motivated, politically independent cybercrime underground growing behind the Great Wall. Trend Micro outlined the nature of this burgeoning industry in a September report.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
11/10/2014 | 3:20:41 AM
Any OS is Vulnerable
Illustrated here is that any OS is vulnerable.  For a long time there was this odd chant about GNU Linux being not hackable.  We all knew that was not entirely the case, but played along.  The truth is, as this article demonstrated, there is a way to explot any system to get that first fooot in the door.  We need to stop seeing software as hackable/not hackable.  Everything can be hacked, some easier than other, but anyone can be a victim.  Unless you're running OpenVMS, of course.  Don't even try anything with a solid OpenVMS box :-)    
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.