How can MDM be used for spying?

MDM (Mobile Device management) solutions for mobile fleet management are becoming more and more popular in small, medium and large enterprises. Security teams must remember about the dangers of pairing mobile devices with the MDM system by an employee, because with such an unusual incident we are dealing. Experts from the Cisco Talos Group have detected malware installed on 13 Apple devices since 2015. Most probably the iPhones were taken over by a social engineering attack and they did not attract attention by the administrators of the hacked company.

Free MDM-server on GitHub

By the end, it is not known how a device with a free MDM system was paired. Usually, to do this, you need to get physical access to the device or send an e-mail to the user with a link to implement the client - personalized and clearly identifying the company. Is taking the physical control over the device more likely than using social engineering and installing an MDM client?

Experts have determined that the attacker used the domain "ios-certificate-update [.] Com", which testifies to the social engineering attack. The authors of the report point to yet another argument in favor of social engineering - English words were used in the domain, which may be normal for a local Indian worker who does not know English.

Instalacja MDM

Installing a certificate from non-trusted Apple certificates gave the attacker (MDM server administrator) unlimited penetration of the phone.

Wdrożony klient MDM

The analysis showed that:

  • Based on the serial number, there are 13 discredited devices.
  • Based on telephone numbers and operators, it was found that all telephones are located in India.
  • Infected models are: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, iPhone 9.4
  • IOS versions on infected devices: 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, 11.2.6
  • To test the MDM system, the attacker used personal phones: two of them had the same phone number and user accounts "test" and "mdmdev".
  • The attacker's phone number came from India and was registered in the Vodafone India network.
  • Roaming has been disabled on the attacker. The probability that the criminal was in India during the attack is large.

Five infected legal applications

In this campaign, five completely legal applications were identified (Telegram, WhatsApp, AppsSLoader, PrayTime and MyApp) that were remotely installed on 13 devices and infected with the BOptions technique. Attackers used the same method as the Hacking Team group, about which we wrote more on the occasion of antivirus testing and exploit trading in the Tor network.

BOptions were used to inject malicious code into installed applications. Infected program, in addition to standard actions, performs additional commands: steals phone numbers, SMS messages, photos, chat history from other messengers and other data that the criminal is interested in. The information obtained in this way can be used against the enterprise (for blackmail or extortion of ransom).

Experts have been able to determine that malware has been used since August 2015, so it has been unnoticed for three years. The forwarder left important data on the MDM server, including a self-signed SSL certificate (self-signed) released in September 2017 to the Russian e-mail address nicholas.vukoja @ mail.ru. The attack also applied a certificate, which was signed by Comodo to the email address of Aleksi.Dushku @ mail.ru.

A detailed analysis showed that the attacker did not come from Russia but operated under a false flag, imitating the classic "Russian hacker".

CA.crt:

Serial Number: 13905745817900070731 (0xc0fb222544ceb74b)
Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/[email protected]

Validity
  Not Before: Sep  6 11:33:09 2017 GMT
  Not After : Sep  6 11:33:09 2018 GMT
Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/[email protected]

Identity.p12:

Serial Number: 14177612590375883362 (0xc4c0ff88e475d262)
Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/[email protected]

Validity
  Not Before: Jan  6 04:59:56 2018 GMT
  Not After : Jan  6 04:59:56 2019 GMT
Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/[email protected]

Server.csr:

Subject: C=HR, ST=Hrvatska, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/[email protected]

Malicious code operating within the Telegram and WhatsApp applications spied on users and sent a saved chat to the techwach.com server - the C & C server was launched from August 2015. Initially, the offender used the name "arnoldrex" to log in, later changed it to "charnobog" - this familiar name comes from the Slavic deity Czarnobóg.

The socio-technical vector of infection is still effective

The rule of the head on the neck is still invariably important when interacting with the instructions sent by the attacker. This attack vector is not difficult to recognize, but we do not exclude the use of our favorite social engineering - a waterhole method that involves attacking or impersonating the service or people with whom the victim has frequent contact. We can not exclude that this is how the criminals managed to persuade iPhones users to install the MDM client. And thanks to this, the criminal, as the system administrator, gained unlimited insight into the information stored on the phone, remaining elusive for three whole years - probably due to the small number of infected devices. However, in this case, the quantity but the quality is not counted. Who knows who these devices belonged to...

IoC:

  • 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa
  • aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa
  • 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa
  • 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa
  • e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa

MDM Domain:

  • ios-certificate-update[.]com
  • www[.]wpitcher[.]com

C&C Domain:

  • Voguextra[.]com
  • Techwach[.]com


Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.