Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows Version of WireLurker Malware Discovered

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

The Windows version of WireLurker was discovered by Jaime Blasco from AlienVault Labs, who made the connection after seeing that an executable file contained command and control (C&C) server addresses used by the malware.

According to Palo Alto Networks, early versions of WireLurker for Windows and OS X were developed in March and they were uploaded to a public cloud storage service of Baidu, Baidu YunPan, disguised as installers for pirated versions of popular iOS apps. The  Windows samples of the malware were created on March 13 on a Windows XP computer.

Researchers have identified 180 Windows applications and 67 OS X applications on the said website. However, in comparison to the 467 apps containing newer variants of WireLurker, which have been downloaded by Chinese users from the Maiyadi App Store more than 350,000 times, these programs had been downloaded only 65,213 times between March 13 and November 6. The Windows version accounts for 97.7% of the downloads, Palo Alto Networks said.

Based on the tests conducted by Palo Alto, it appears that the Windows version of WireLurker doesn’t work as it should.

“During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems,” Palo Alto Networks wrote in a blog post. “When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows ‘installation is successful’, but we did not find any new icon in the iPad display.  We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.”

Researchers have pointed out an interesting aspect of the iOS malware. The threat contains binary code for 32-bit ARMv7, 32-bit ARMv7s, and 64-bit ARM64 architectures. This makes WireLurker the first iOS malware that targets the ARM64 architecture.

The Maiyadi App Store on which the initially discovered variants were hosted seems to be linked to the creators of the malware, Palo Alto said. One piece of evidence is the bundle identifier named “com.maiyadi.installer” in the OS X samples. The samples also include copyright information referencing Maiyadi.

Advertisement. Scroll to continue reading.

The C&C servers user by WireLurker are currently inactive, and Apple has taken steps to ensure that its users are protected, including the revocation of the stolen code signing certificates used by the malware creators to run the malicious iOS apps on non-jailbroken devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.