| ID | X0024 |
| Aliases | None |
| Platforms | iOS |
| Year | 2015 |
| Associated ATT&CK Software | YiSpecter |
YiSpecter is an Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with the downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmark and open pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users. [1]
See ATT&CK: YiSpecter - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Hide Artifacts (E1564) | The malware hides icons from iOS's SpringBoard and use the same name and logos of system apps to trick iOS power users. [1] |
| Persistence::Modify Existing Service (F0011) | The malware hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements. [1] |
| Lateral Movement::Supply Chain Compromise::Exploit Private APIs (E1195.m02) | Within the malware, the private API allows installation of malicious apps and uninstallation of legitimate apps without user notification. [1] |
| Lateral Movement::Supply Chain Compromise::Abuse Enterprise Certificates (E1195.m01) | YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. [1] |
| Impact::Generate Traffic from Victim::Advertisement Replacement Fraud (E1643.m02) | The malware displays brief advertisements whenever the user opens applications on their phone. [1] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | The malware can download and install arbitrary iOS apps. [1] |
| Command and Control::C2 Communication::Send System Information (B0030.006) | The malware connects to the C2 server using HTTP to send device information. [1] |
| Defense Evasion::Install Insecure or Malicious Configuration (B0047) | The malware changes iOS Safari's default configuration. [1] |
SHA256 Hashes
- 57cc101ee4a9f306236d1d4fb5ccb3bb96fa76210142a5ec483a49321d2bd603
- 4938b9861b7c55fbbe47d2ba04e9aff2da186e282f1e9ff0a15bbb22a5f6e0e7
- fc55c5ced1027b48885780c87980a286181d3639dfc97d03ebe04ec012a1b677
- 5259854994945a165996d994e6484c1afc1c7e628cb5df2dc3750f4f9f92202e
- 7714dbb85c5ebcd85cd1d93299479cff2cc82ad0ed11803c24c44106530d2e2f
- ddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc
- 8fa135fc74583e05be208752e8ce191060b1617447815a007efac78662b425d0
C2 Server:
- bb800.com
- iosnoico.bb800[.]com: used to upload informati on, download confi gs and commands, downloadmalicious components
- qvod.bb800[.]com: used to download main app
- qvios.od.bb800[.]com: used to download main app
- dp.bb800[.]com: used to download promoted iOS apps
- iosads.cdn.bb800[.]com: used to download promoted iOS apps and malicious components
[1] https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/