Analysis of an Info Stealer — Chapter 1: The Phishing Website

Introduction

In November 2023, McAfee released an article titled “Fake Android and iOS Apps Steal SMS and Contacts in South Korea.” Basically, some threat actors are spreading malicious apps, both for Android and iOS users, through various phishing websites in order to steal sensitive data from users.

Intrigued by the malicious iOS app, I searched for the .ipa files, listed in the IoCs section of the article, on platforms such as MalwareBazaar or VirusTotal, but without success.

Consequently, I opted to conduct my own investigation starting from the initial link of the chain — the phishing websites — in order to download the malicious iOS app. Since several interesting things emerged during the analysis, I decided to present my findings in three separate articles instead of a lengthy one. You can explore the other parts through the following links:

1. Analysis of an Info Stealer — Chapter 1: The Phishing Website
2. Analysis of an Info Stealer — Chapter 2: The iOS App
3. Analysis of an Info Stealer — Chapter 3: The Android App

Technical Analysis

Utilizing the IoCs shared in the article as a starting point, I conducted an analysis of numerous phishing websites and their infrastructures. The objective was to gain a comprehensive understanding of the campaign and identify patterns that could lead to the discovery of additional phishing sites (since some of them were no longer available).

In fact, by using https://urlscan.io/, I uncovered additional phishing websites targeting users not only in South Korea but also in India and China, as illustrated in Figure 1.

Figure 1 —Examples of phishing websites that use QR Codes to make people download iOS malware

Examining the phishing websites, it is possible to notice a consistent feature across all of them: two buttons facilitating the download of the apps for Android and iOS devices. Nevertheless, an interesting distinction arises when the victim selects the button to download the Android app, resulting in a straightforward .apk file download, regardless of whether done from an Android device or via desktop. The scenario is different for iOS, which is one of the reasons why I wanted to do the following article.

Figure 2 — Example of phishing website

In particular, when the user clicks on the “App Store” button another web-page is shown to the victim. Inside this new website, a first Javascript code is used to detect various properties of the user’s browser and adapt its behavior. In particular, as shown in Figure 3, the script checks if the user is using:

• trident: the Trident rendering engine (commonly associated with Internet Explorer).
• presto: the Presto rendering engine.
• webKit: the WebKit rendering engine (commonly associated with Safari and some other browsers).
• gecko: the Gecko rendering engine (commonly associated with Firefox).
• mobile: a mobile browser. This is determined by searching for the string “AppleWebKit” followed by “Mobile” in the user agent.
• ios: an iOS device (iPhone, iPad, iPod).
• android: an Android device.
• iPhone: an iPhone.
• iPad: an iPad.
• webApp: a web application (Safari is excluded).
• weixin: WeChat’s built-in browser.
• qq: QQ Browser.
• qq2: QQ Browser but not WeChat’s built-in browser.
• qq1: QQ Browser and also QQ’s mobile browser.
• safari: Safari but not Chrome or CriOS (Chrome for iOS), and not within the QQ Browser.

Figure 3 — Javascript code used to detect various properties of the user’s browser

When the user is not utilizing an iOS device, such as accessing the phishing website through a browser on a workstation device, it displays a QR code in order to encourage the user to use his/her iPhone (Figure 4, on the left). Conversely, if the user is on an iOS device, a website interface similar to the Apple Store is displayed for downloading the iOS app (Figure 4, on the right).

Figure 4 — Example of phishing website after clicking the “App Store” button

Advancing with the analysis, towards the end of the HTML page, two <script> blocks containing obfuscated JavaScript code have caught my attention. However, I will specifically delve into the obfuscated script shown in Figure 5, as it encapsulates the logic responsible for downloading the iOS info stealer.

Figure 5 — Obfuscated Javascript code

Figure 6 — Deobfuscated Javascript code

Even if the JavaScript code appears to be obfuscated with https://obfuscator.io/ (a open-source and legitimate obfuscator) it is easy to deobfuscate it and obtain a readable code. Once deobfuscated, the code reveals approximately 60 functions and multiple interesting strings that help the static analysis, as shown in Figure 6.

Intercepting the communications during the .ipa file download phases, it is possible to observe that the first GET request is made to the following path: “/api/task/createV3/[viewCode_value]/[string]” made by the function called “v3InstallIP”, where:

• [viewCode_value] is the string value stored inside the viewCode variable (changes in each phishing website)
• [string] is a long string generated by and algorithm inside the “com” function that take as argument the sum of the output of “rad” function and the “Date().getTime().toString()” Javascript function.

An interesting thing regarding the response of the server is the message value containing a string in Chinese saying “Successful operation”.

Figure 7 — Request and Response used to download the malicious iOS app

After that, another request to “/api/task/query/[…]” is made, using the “getStatus” function, in order to get an URL to download the plist file.

A PLIST file is a special text file that contains data in the Property List format. The file is used by macOS, iOS, and iPadOS applications to store settings and other data in a key-value format.

The following plist file contains some basic information regarding the malicious iOS app, in particular:

• The url used to download the app
• The url to download the icons
• The bundle-identifier and version
• The name of the app

The final step to download the malicious app on the iOS device is made by a GET request to “/app/down/[user-ip]/[string]”.

At this point, you may be wondering “How can this app be installed on an iOS device if it has not been downloaded from the Apple Store?

Apple allows organizations to use enterprise distribution certificates to deploy apps to their employees’ devices without going through the App Store. The abuse of this feature by threat actors is not uncommon and has been observed in various cases. It appears to be a tactic that is already familiar within the security landscape. In fact, before the download of the .ipa file, a “profile” is downloaded on the victim device, as shown in Figure 8. So the victim must first install the profile and then verify the app after the download and installation steps of the app.

Figure 8 — Installation of the enterprise profile

Conclusions

This article has been written to illustrate with some details how this phishing campaign is delivering malicious apps for both Android and iOS devices. Furthermore, through this investigation I found other phishing websites that target not only users in South Korea, but also those in India and China.

I conclude this article sharing the query that I used on urlscan.io to find some of phishing domains used in this campaign:

page.ip:"103.207.165.121" OR page.ip:"154.84.17.155" OR page.ip:"154.84.17.158" OR page.ip:"103.207.164.33"

(NB: filter the results by size of about 800 KB)

Indicators of Compromise (IOCs)

https:]//mdszsdg.]com/8q75t
https:]//bcy.xqysiv.]xyz/30sch
https:]//telegraming.]pro/
https:]//mdszsdg.]com/x4ujf
https:]//xi8xxui.]wocbosh.]xyz/uwssz
https:]//ahf8f.]mnmhxi.]xyz/ewf3n