iOS/SSLCreds.A!tr.pws
Analysis
The malware targets jailbroken iOS devices, onto which it steals Apple credentials and reports them to a remote C&C.
Technical Details
The malware consists of a Cydia Mobile Substrate dynamic library (extensions for jailbroken phones) named /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib. It hooks the SSLWrite function of the Security.framework and will listen to apple identifiers or keywords sent during authentication to
http://APPLE LOGIN SERVER/WebObjects/MZFinance.woa/wa/authenticateThe stolen credentials are sent to 23.88.10.4 or 23.228.204.55 on port 7878.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |