Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.
The Windows version of WireLurker was discovered by Jaime Blasco from AlienVault Labs, who made the connection after seeing that an executable file contained command and control (C&C) server addresses used by the malware.
According to Palo Alto Networks, early versions of WireLurker for Windows and OS X were developed in March and they were uploaded to a public cloud storage service of Baidu, Baidu YunPan, disguised as installers for pirated versions of popular iOS apps. The Windows samples of the malware were created on March 13 on a Windows XP computer.
Researchers have identified 180 Windows applications and 67 OS X applications on the said website. However, in comparison to the 467 apps containing newer variants of WireLurker, which have been downloaded by Chinese users from the Maiyadi App Store more than 350,000 times, these programs had been downloaded only 65,213 times between March 13 and November 6. The Windows version accounts for 97.7% of the downloads, Palo Alto Networks said.
Based on the tests conducted by Palo Alto, it appears that the Windows version of WireLurker doesn’t work as it should.
“During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems,” Palo Alto Networks wrote in a blog post. “When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows ‘installation is successful’, but we did not find any new icon in the iPad display. We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.”
Researchers have pointed out an interesting aspect of the iOS malware. The threat contains binary code for 32-bit ARMv7, 32-bit ARMv7s, and 64-bit ARM64 architectures. This makes WireLurker the first iOS malware that targets the ARM64 architecture.
The Maiyadi App Store on which the initially discovered variants were hosted seems to be linked to the creators of the malware, Palo Alto said. One piece of evidence is the bundle identifier named “com.maiyadi.installer” in the OS X samples. The samples also include copyright information referencing Maiyadi.
The C&C servers user by WireLurker are currently inactive, and Apple has taken steps to ensure that its users are protected, including the revocation of the stolen code signing certificates used by the malware creators to run the malicious iOS apps on non-jailbroken devices.