Tuesday, May 4, 2021

Grab your own copy of Phenakite iOS malware today

 Facebook has recently published a technical paper regarding a threat actor named APT-C-23.

Almost half of their report is about a new iOS malware that is in use by the threat actor.

Facebook called this malware Phenakite and provided 2 hashes of malware samples, however, those samples are not publicly available (yet).

Since I am Android type of person, naturally the Android malware interested me more than the iOS malware.

After playing a little with the Android malware, I decided to see what I can learn about the iOS malware, but how? I don't have any sample and I am quite clueless with Apple devices at every possible level. Well:

We don’t need bombs we got fire kites

Fortunately, the distribution site of the malware was still alive:



Well, not much to do other than download the app, well  the link is not directly the app apparently:


The file is binary, but also contains strings that might be interesting. There are several tools that parse mobileconfig files, a curious reader might try to parse the file for additional information, as this probably should trigger the download of the app after the policy is accepted.

But now what?

Feeling stuck? no worries I felt the same as well. Since I don't have iOS device to try it out, I decided to inspect the code of the website:


Oh look at that, commented code, that must be good :P


WhoOpSec!


There was also a reference to a file named app.plist lets try to grab it, shall we?



Ok, this is plain text and simple, the software package is app.ipa, lets grab that as well:



Ah, close, but no cigar, this hash doesn't match the two samples in Facebook report.

Could it be a new sample? doubt it, look at the date. So what is this file? ipa obviously! Not to be confused with IPA.

Essentially it is a Zip file, so lets unzip that payload:


I moved all the images to a folder to keep only the potentially interesting files from the archive, namely "app" stands out, what is it?



And that, kids, how I met your malware, e567efd5c800c5b0c6eb5aa0bccc10e9 , I met her on Facebook, report.

Congratulations, this is the first time the blog actually does what it stands for, sharing malware for everyone with a hint of analysis. (if you are reading this too late and the distribution site of the malware is down, no worries, it is also available at VirusTotal as a standalone and as an archive)

Now you can enjoy your own copy of Phenakite and start reversing the Mach-O if you know how to :)


Bonus lol's:

The terms of service of the malware is.... Lorem Ipsum :


The privacy is seem to be borrowed from "relatedcode.com" which has an open source chat for iOS repository, this is most likely the chat app that Facebook was referring to:


All your base is on fire:


More interesting strings:



phenakite.zip

MD5: 54e5e93c00c963cb66fd2d248c4c6ce7
SHA-1: 05527dddb79329d844f1954e3d36601926410bca
SHA-256: c2d66369c974558adbcd801b409492b73ad1cb5f9f412ef3a8820f1cae526903

app

MD5: e567efd5c800c5b0c6eb5aa0bccc10e9
SHA-1: da99195ff43093fb8237201e2ce412a925580a53
SHA-256: e1494164865acb719c1e32c86adf810ce52fcc48c46e777b9f98a99648de62c2