iOS/SSLCreds.A!tr.pws

description-logoAnalysis

The malware targets jailbroken iOS devices, onto which it steals Apple credentials and reports them to a remote C&C.

Technical Details


The malware consists of a Cydia Mobile Substrate dynamic library (extensions for jailbroken phones) named /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib. It hooks the SSLWrite function of the Security.framework and will listen to apple identifiers or keywords sent during authentication to
http://APPLE LOGIN SERVER/WebObjects/MZFinance.woa/wa/authenticate
The stolen credentials are sent to 23.88.10.4 or 23.228.204.55 on port 7878.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2022-06-15 90.03283
2022-06-12 90.03196