Apple iOS users served mobile malware in Poisoned News campaign

As we all devour online news sources in the current climate, cyberattackers are waiting to spring.
Written by Charlie Osborne, Contributing Writer

Apple iOS smartphone users in Hong Kong are being targeted in a new campaign exploiting online news readers to serve malware. 

This week, Trend Micro researchers said the scheme, dubbed Operation Poisoned News, uses links posted on a variety of forums popular with Hong Kong residents that claim to lead to news stories. 

Newly-registered members of the discussion forums would post links generally related to sex, clickbait headlines, and COVID-19. 

The links do actually lead to legitimate news outlets; however, a watering hole attack (.PDF) uses a hidden iframe to deploy and execute malicious code. 

See also: Cybersecurity: Under half of organizations are fully prepared to deal with cyberattacks

"The URLs used led to a malicious website created by the attacker, which in turn contained three iframes that pointed to different sites," the researches say. "The only visible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One invisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits."

The campaign began in mid-February and appears to be ongoing. Based on the distribution model, the team believes the campaign is not selective in its targets; instead, the goal is to compromise as many devices as possible.

If a user clicks on a link and is using an Apple iPhone 6S up to the iPhone X running iOS 12.1 and 12.2 that has not received a silent patch for a Safari bug Apple has fixed in recent versions of the firm's OS, this begins an infection chain.

The Safari vulnerability -- which does not have a CVE -- can be exploited to trigger CVE-2019-8605, a use-after-free memory flaw resolved in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1. If exploited, this bug can result in the compromise of the kernel to obtain root privileges. 

The second stage of the attack chain is the deployment of a new form of iOS malware called lightSpy, a modular backdoor that gives operators the option to remotely execute shell commands and manipulate files on the victim device. 

CNET: Working from home makes you vulnerable to hackers. Here's how to stay safe

Trend Micro says that most of the modules contained in the "undocumented and sophisticated spyware" are focused on data exfiltration, including the theft of contact lists, GPS location, Wi-Fi connection history, hardware data, iOS keychains, phone call records, mobile Safari and Chrome browser history, and SMS messages. 

In addition, lightSpy is able to compromise the Telegram, Wechat, and QQ messaging apps, exfiltrating account information, contacts, groups, messages, and files.

It is believed the threat actors behind the Poisoned News campaign are connected to, or are the same, as the operators of dmsSpy, an Android variant of the same malware that has been distributed through open Telegram channels since 2019. 

TechRepublic: Coronavirus: What business pros need to know

Trend Micro says the same command-and-control (C2) infrastructure and domain names used by the iOS watering hole attacks are the same as the Android variant, albeit through differing subdomains. 

Tencent, the developer of WeChat and QQ, said that reminders have been sent to the "very tiny percentage" of users who have not updated their iOS builds. Telegram and Apple have also been notified. 

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards