Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows Version of WireLurker Malware Discovered

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

The Windows version of WireLurker was discovered by Jaime Blasco from AlienVault Labs, who made the connection after seeing that an executable file contained command and control (C&C) server addresses used by the malware.

According to Palo Alto Networks, early versions of WireLurker for Windows and OS X were developed in March and they were uploaded to a public cloud storage service of Baidu, Baidu YunPan, disguised as installers for pirated versions of popular iOS apps. The  Windows samples of the malware were created on March 13 on a Windows XP computer.

Researchers have identified 180 Windows applications and 67 OS X applications on the said website. However, in comparison to the 467 apps containing newer variants of WireLurker, which have been downloaded by Chinese users from the Maiyadi App Store more than 350,000 times, these programs had been downloaded only 65,213 times between March 13 and November 6. The Windows version accounts for 97.7% of the downloads, Palo Alto Networks said.

Based on the tests conducted by Palo Alto, it appears that the Windows version of WireLurker doesn’t work as it should.

“During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems,” Palo Alto Networks wrote in a blog post. “When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows ‘installation is successful’, but we did not find any new icon in the iPad display.  We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.”

Researchers have pointed out an interesting aspect of the iOS malware. The threat contains binary code for 32-bit ARMv7, 32-bit ARMv7s, and 64-bit ARM64 architectures. This makes WireLurker the first iOS malware that targets the ARM64 architecture.

The Maiyadi App Store on which the initially discovered variants were hosted seems to be linked to the creators of the malware, Palo Alto said. One piece of evidence is the bundle identifier named “com.maiyadi.installer” in the OS X samples. The samples also include copyright information referencing Maiyadi.

Advertisement. Scroll to continue reading.

The C&C servers user by WireLurker are currently inactive, and Apple has taken steps to ensure that its users are protected, including the revocation of the stolen code signing certificates used by the malware creators to run the malicious iOS apps on non-jailbroken devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.