Skip to main content

BEWARE OF LINKS YOU DON'T TRUST AND CLICK ON INTERNET. Cybercriminals Used Local News Sites To Install Spyware On Devices.

By Editor



iphone iOS spyware
A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the "Operation Poisoned News" attack leverages a remote iOS exploit chain to deploy a feature-rich implant called 'LightSpy' through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim's device and load it with malware.

The APT group, dubbed "TwoSail Junk" by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 spanning all models from iPhone 6 to the iPhone X, with the attacks first identified on January 10, before intensifying around February 18.

Using Malicious Links as Bait to Install Spyware


The campaign uses fake links posted on multiple forums, all popular with Hong Kong residents, that claim to lead to various news stories related to topics that are either sex-related, clickbait, or news related to the ongoing COVID-19 Coronavirus pandemic.


iphone iOS spyware

Clicking the URLs lead the users to legitimate news outlets that have been compromised as well as websites set up specifically for this campaign (e.g., hxxps://appledaily.googlephoto[.]vip/news[.]html) by the operators. In both situations, a hidden iframe is employed to load and execute malicious code.

"The URLs used led to a malicious website created by the attacker, which in turn contained three iframes that pointed to different sites," Trend Micro researchers said. "The only visible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One invisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits."

iOS exploit

The malware in question exploits a "silently patched" Safari vulnerability, which when rendered on the browser leads to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to execute arbitrary code with root privileges — in this case, install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

The spyware is not just capable of remotely executing shell commands and taking full control of the device. It also contains a variety of downloadable modules that allow for data exfiltration, such as contact lists, GPS location, Wi-Fi connection history, hardware data, iOS keychains, phone call records, mobile Safari and Chrome browser history, and SMS messages.

In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.

A Surveillance Operation Targeting Southeast Asia


It is suspected the TwoSail Junk gang is connected to, or possibly the same, as the operators of "dmsSpy", an Android variant of the same malware that was distributed last year through open Telegram channels under the guise of Hong Kong protest calendar apps among others.

"dmsSpy's download and command-and-control servers used the same domain name (hkrevolution[.]club) as one of the watering holes used by the iOS component of Poisoned News," the researchers observed.

Once installed, these rogue Android apps harvested and exfiltrated contacts, text messages, the user's location, and the names of stored files.

"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Kaspersky researchers concluded.

Trend Micro, for its part, suggested the design and functionality of the campaign aim to compromise as many mobile devices as possible to enable device backdooring and surveillance.

To mitigate such threats, it's essential that users keep their devices up-to-date and avoid sideloading apps on Android from unauthorized sources.

THN
#osutayusuf
@osutayusuf

Comments

Post a Comment

Popular posts from this blog

UGANDA ELECTORAL COMMISSION TO ELIMINATE NATIONAL IDENTIFICATION CARDS (IDs) FOR 2021 GENERAL ELECTIONS.

By Editor
The elimination of using National IDs (Ndagamuntu) for the 2021 elections should not have come as a surprise. One would be very NAIVE to think that Bobi Wine has not prepared for this in his Business Plan under the RISK section. It is public knowledge that our EC is not independent.  It is also public knowledge that Military Dictator Yoweri Museveni will never lose an election. What stunned us this morning is when we noticed that on social media, people were mocking Bobi with his "get your Ndagamuntu".  We are on record for saying to all Our readers that the National ID is like Apartheid in South Africa. Students of History would know how those IDs were being used to arrest people, deny them jobs, deny them basic services. Consequently, Bobi was not wrong and will never be wrong on the Ndagamuntu. Except the ones attacking him and mocking him forget that in Uganda, now, no National ID (Ndagamuntu), no service.  If you have not been denied registering your child i...
Post a Comment
Read more

President Museveni Praises Soldiers for Torturing Bobi Wine in Arua on August 2018.

By Editor
        President Museveni at the passout of police officers in Masindi Friday https://www.facebook.com/1829407613953796 President Museveni has praised his Special Forces Command [SFC] guards for properly and legally beating National Unity Platform [NUP] presidential flagbearer, Robert Kyagulanyi aka Bobi Wine. “The other day, there was a fracas in West Nile where our young friend Bobi Wine was fighting security people,” Museveni said Friday while passing out police recruits at Kabalye Training School in Masindi district. “I think they beat him a bit and then they came and said a Member of Parliament has been beaten. I said let me study and see how he was beaten. I found the man had been beaten in the right way,” Museveni explained. “This was because…I think this was SFC people who are not police-minded. They are used to doing other things. But somehow they managed to act properly, I was surprised.” When they [SFC] went where this young man was in the room, he had ca...
Post a Comment
Read more

Here is Why Our Utterances For Praying Jesus And God To Come Liberate Ugandans, May Be Misplaced. This Phrase is like inform of a Letter To Some Categorized Section Of Ugandans.

By Editor
https://m.facebook.com/yusufosuta/photos/a.1896701010557789/2070383359856219/?type=3 OPEN LETTER TO NRM SUPPORTERS - NATIONAL ROBBERS MOVEMENT. .................................................................................. Last week of March, a friend told me to pray for Uganda.  I told him that he was an Idiot and we have prayed for too long and we are still hungry and sick and Jesus is not coming soon to liberate us. He then ignored the STUPID and sent me a picture we all now know.  It got me totally messed up.  This guy was telling me to pray then sends a picture of men bowing down in blood.  He might have meant guns but I blocked him because his utterances of praying for Uganda were misplaced. I unblocked him 3 weeks later and asked him about praying and assassinations.  His reply "eithrr prayers or guns or both". I hate violence with a passion.  So he is now blocked in like FOREVER. Do you feel safe?  Do not feel safe. Uganda regim...
Post a Comment
Read more