A newly discovered watering-hole campaign using malicious website links as a lure to install spyware on devices is targeting Apple iPhone users in Hong Kong.
According to research published by Trend Micro and Kaspersky, the “Operation Poison News” attack takes advantage of a remote iOS exploit chain to deploy a feature-rich implant called ‘LightSpy’ through links to local news websites, The malware payload when clicked and allows an interloper to eject sensitive data from the affected device and even Uarn control takes.
Water-hole attacks have typically given a bad actor to compromise a specific group of end users infecting websites they know to travel, aiming to gain access to the victim’s device And it has to be loaded with malware.
The APT group, dubbed “TwoSail Junk” by Kaspersky, is said to have the advantage of vulnerabilities in iOS 12.1 and 12.2 on all models, from iPhone 6 to iPhone X, before speeding up before 18 February on 10 January. The attacks were identified.
Using malicious links as bait to install spyware
The campaign uses fake links posted on several forums, all popular with Hong Kong residents, who claim to lead various news stories related to topics that are either related to sex, clickbait, or There are ongoing news related to the COVID-19 coronavirus virus.
iphone ios spyware
Clicking on the URL allows users to engage with legitimate news outlets, as well as websites set up specifically for this campaign (eg, hxxps: //appledaily.googlephoto .] Vip / news . Html) are communicated to operators. In both cases, a hidden iframe is employed to load and execute malicious code.
Trend Micro researchers said, “The URL is used for a malicious website created by the attacker, which consists of three iframes, pointing to different sites.” “The only visible iframe leads to a legitimate news site, making people think they are visiting the site. One invisible iframe was used for website analytics, the other to host the main script for iOS exploits Led the site. “
The malware in question exploits a “silently patched” Safari vulnerability, which when rendered on the browser, exploits use after a free memory fault (tracked as CVE-2019-8605) Allows an attacker to execute arbitrary code with native privileges. – In this case, install the proprietary LightSpy backdoor. The bug has been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3 and watchOS 5.2.1.
Spyware is not able to execute only shell commands remotely and take full control of the device. It also includes a variety of downloadable modules that allow data intrusion, such as contact list, GPS location, Wi-Fi connection history, hardware data, iOS kitchen, phone call records, mobile Safari and Chrome browser history, and SMS message.
In addition, LightSpy targeted messaging applications such as Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.
A surveillance operation targeting Southeast Asia
It is suspected that the Tussell junk gang is, or possibly linked to, the operator of “dmsSpy”, an Android version of the same malware that was distributed through open Telegram channels under the guise of the Hong Kong television protest calendar app last year Was. other.
“DmsSpy’s download and command-and-control servers used the same domain name (hkrevolution [.] Club) as the watering hole used by the iOS component of Poisoned News,” the researchers observed.
Once installed, these rogue Android apps cut and cut off disconnected contacts, text messages, user locations, and names of archived files.
“The framework and infrastructure in particular is an interesting example of an agile approach to developing and deploying surveillance frameworks in Southeast Asia,” Kaspersky researchers concluded.
Trend Micro, for its part, suggested the purpose and functionality of the campaign so that more and more mobile devices would be compromised to enable device backdooring and monitoring.
To minimize such threats, it is essential that users keep their devices up to date and avoid sideloading apps on Android from unauthorized sources.