Your Malware Would Like To Phone a Friend

Threat Advisory: Operation Pawn Storm

In October 2014, Trend Micro disclosed a widespread malware campaign called Operation Pawn Storm. On Wednesday, Trend Micro released an update on how threat actors are using new tactics to improve the effectiveness of this campaign (or at least a new campaign which is using the same XAgent malware). Lacoon is providing this threat advisory to ensure you have as much information as possible about these developments.

What is Operation Pawn Storm?

Operation Pawn Storm is a campaign to steal valuable information from high-profile economic and political targets. Victims have included military and embassy personnel, and employees of firms with defense contracts with the United States and its allies including defense contractor ACADEMI, formerly known as Blackwater. Groups that oppose the Russian government, international media outlets, and other multinational companies have also been targeted.

What’s new about Wednesday’s disclosure?

The campaign originally used Javascipt code to gain access to a targeted victim’s Outlook Web Access on desktop machines, but has evolved to include iOS devices that have and have not been jailbroken. This means any iOS device can be the target of an attack.

Furthermore, Trend Micro believes the campaign has expanded to include mobile devices of those who associate with primary targets. XAgent is delivered using several different methods, including phishing attacks based on a technique called island hopping. Essentially, phones of friends and associates of the true target are first infected and then used to pass on the spyware link. It’s based on the assumption that the target is more likely to click on links from people they know than from strangers.

Infecting the devices of colleagues, friends and family increases a threat actor’s ability to gather sensitive, valuable information. For example threat actors could use device microphones to capture private conversations, or could exfiltrate SMS or email messages between a target and his or her associates.

How do mobile devices become compromised?

Trend Micro’s October disclosure says Operation Pawn Storm targets desktop computers and iOS devices by infecting its victims with an advanced mRAT (Mobile Remote Access Trojan) called XAgent. The campaign uses two different iOS agents, one for devices that have been jailbroken and, importantly, one for devices that have not been jailbroken.

  • IOS_XAGENT.A – XAgent is used for devices that have not been jailbroken.
  • IOS_ XAGENT.B – used for devices that have been jailbroken, and uses the name of a legitimate iOS game called MadCap.

The agent that doesn’t require a jailbroken iOS device exploits a built-in iOS feature that can bypass Apple’s sandboxing framework. Like many recent (and more advanced) strains of mobile malware, this agent was signed using an enterprise certificate.

Regarding the actual vectors of attack, Operation Pawn Storm is very flexible:

  • Spear Phishing Emails
  • Phishing Websites (one click install by pressing a malicious link)
  • Malicious iFrames inserted within various websites.

What does Operation Pawn Storm do to an infected device?

Once a device has been infected, a number of files and data types can be extracted:

  • SMS messages
  • Contact lists
  • Pictures stored on the device
  • Geo-location data
  • List of installed apps
  • List of running processes
  • Wi-Fi connection status (Perhaps used to avoid detection from excessive mobile data consumption.)
  • Sound recordings by activating the microphone

It’s important to note that the attack affects iOS 7 and 8 users in a slightly different way. It is most dangerous on iOS 7 where it hides its icon to evade detection. On iOS 8, its icon isn’t hidden and the process also needs to be manually launched each time the phone is rebooted, essentially meaning the attack has to happen again.

That being said, more than a quarter of iOS devices are still running iOS 7, leaving tens of millions of users vulnerable. Furthermore, this hints that the attack was designed prior to the releases of iOS 8 and could be modified to be more surreptitious on iOS 8 too.

Are Lacoon customers protected?

Yes. Lacoon protects iOS users from both variants of the Operation Pawn Storm attack. Lacoon detects and immediately alerts on applications signed with an enterprise certificate. If an attack is in progress on an iOS device, it detects the event and alerts both the user and an organization’s security personnel about the threat.

For the variant that requires a jailbroken device, Lacoon has multiple, advanced detection techniques that immediately alert the organization if a device has been jailbroken. Jailbreak detection triggers mitigation actions like blocking device access to corporate assets like email and networks.