The threat actors behind the political and economic cyber espionage campaign known as Operation Pawn Storm have started using iOS malware to steal sensitive information from their targets, Trend Micro reported on Wednesday.
The group behind Operation Pawn Storm (also known as APT28, Tsar Team, Sednit and Fancy Bear) has been around since at least 2007. The threat actor, which is believed to be linked to the Russian government, has targeted military, defense industry, government and media organizations from across the world.
Once they infiltrate their targets’ networks, the attackers use sophisticated espionage malware to steal valuable data. These advanced espionage tools now include at least a couple of malicious iOS applications related to the Sednit malware.
One of the iOS spy apps is called XAgent (IOS_XAGENT.A). Once it’s installed on an iOS device, the malware starts harvesting text messages, contact lists, pictures, details on installed apps and processes, Wi-Fi statuses, and geo-location data. The threat is also capable of recording audio, Trend Micro said.
XAgent communicates with its command and control (C&C) server via HTTP. However, experts have determined that the app is also capable of uploading files to a server by using the file transfer protocol (FTP).
The spyware runs in the background and hides its icon to avoid raising suspicion. When its process is terminated, the malware restarts almost immediately. However, according to researchers, these features only work on iOS 7. On iOS 8, the icon is not hidden and the malware doesn’t restart automatically after its process is terminated.
The second iOS spyware identified by Trend Micro is called MadCap (IOS_ XAGENT.B). MadCap is similar to XAgent, but the malware only works on jailbroken devices and it’s designed mainly for audio recording.
While they haven’t been able to precisely determine how these pieces of malware are distributed, researchers believe one method could involve infecting iOS devices once they are connected to a compromised Windows computer through a USB cable. Another method relies on ad hoc provisioning, a process used by iOS developers to distribute their applications.
Trend Micro spotted an instance in which XAgent was installed through this method. Victims were presented with a link that said “Tap Here to Install the Application.” The link pointed to a .plist file that installed the spyware wirelessly.
The C&C server used by the iOS threats was still live as of February 4.
In November, ESET reported that the Pawn Storm cyber espionage group had been using a clever piece of malware, Win32/USBStealer, to steal valuable information from air-gapped networks.