Lacoon Discovers Xsser mRAT, the First Advanced Chinese iOS Trojan
Shalom Bublil, Daniel Brodie, and Avi Bashan contributed to the post, and are credited with Lacoon’s discovery of the Xsser mRAT.
The Lacoon Mobile Security research team has discovered a new mRAT it calls “Xsser mRAT.” The Xsser mRAT specifically targets iOS devices, and is related to Android spyware already distributed broadly in Hong Kong.
A link to the Android spyware, disguised as an app to help coordinate Occupy Central protests in Hong Kong, was sent as an anonymous message to Whatsapp users there on Thursday. In its investigation of that spyware, Lacoon uncovered the Xsser mRAT hosted on the same Command and Control (CnC) domain with the project being named Xsser. Though called Xsser, this is not related to an XSS attack.
Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.
The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.
Shifting Cybercriminal Strategy Puts Individuals, Organizations At Risk
The Xsser mRAT represents a fundamental shift by nation-state cybercriminals from compromising traditional PC systems to targeting mobile devices. The risks extend well beyond the personal user to any enterprise with employees using mobile devices — company-provided or employee-liable — for business purposes. When infected, Xsser mRAT exposes virtually any information on iOS devices including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information.
The Xsser mRAT illustrates how easily social engineering can be used to steal valuable information from iOS users. Attackers successfully use relevant events (in this case political protests, but it could be something as innocent as a sporting event or a trade show) to gain a victim’s trust. Targets then unknowingly install malicious apps, unaware that they’re also unlocking the door to all kinds of sensitive information.
It’s also a perfect example of why it’s important to protect mobile devices against not just known threats, but also emerging and evolving threats you may not have known existed.
About Lacoon’s Investigation Into the Xsser mRAT
The investigation began late last week with a malicious, fake Android app claiming to coordinate the Occupy Central pro-democracy movement. Activists have been receiving a link to the application via Whatsapp phishing messages from an unknown phone number saying, “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!” Once victims click the link, their devices are infected an advanced mRAT, or mobile Remote Access Trojan.
Read more about the Android trojan at our blog post here.
Article with thanks - Lacoon
No comments:
Post a Comment