| ID | X0024 |
| Aliases | None |
| Platforms | iOS |
| Year | 2015 |
| Associated ATT&CK Software | YiSpecter |
YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users. [1]
See ATT&CK: YiSpecter - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Hide Artifacts (E1564) | Hides icons from iOS's SpringBoard as well as use the same name and logos of system apps to trick iOS power users [1] |
| Persistence::Modify Existing Service (F0011) | Hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements [1] |
| Lateral Movement::Supply Chain Compromise::Exploit Private APIs (E1195.m02) | Use of the private api allowed both Installation of malicious apps and uninstallation of legitimate apps without user notification [1] |
| Lateral Movement::Supply Chain Compromise::Abuse Enterprise Certificates (E1195.m01) | YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution [1] |
| Impact::Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud (E1472.m02) | Displays brief advertisements whenever the user opens applications on their phone [1] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | Can download and install arbitrary iOS apps [1] |
| Command and Control::Command and Control Communication::Send System Information (B0030.006) | Connects to the command and control server using HTTP to send device information [1] |
| Defense Evasion::Install Insecure or Malicious Configuration (B0047) | Changes iOS Safari's default configuration [1] |
SHA256 Hashes
- 57cc101ee4a9f306236d1d4fb5ccb3bb96fa76210142a5ec483a49321d2bd603
- 4938b9861b7c55fbbe47d2ba04e9aff2da186e282f1e9ff0a15bbb22a5f6e0e7
- fc55c5ced1027b48885780c87980a286181d3639dfc97d03ebe04ec012a1b677
- 5259854994945a165996d994e6484c1afc1c7e628cb5df2dc3750f4f9f92202e
- 7714dbb85c5ebcd85cd1d93299479cff2cc82ad0ed11803c24c44106530d2e2f
- ddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc
- 8fa135fc74583e05be208752e8ce191060b1617447815a007efac78662b425d0
C2 Server:
- bb800.com
- iosnoico.bb800[.]com: used to upload informati on, download confi gs and commands, downloadmalicious components
- qvod.bb800[.]com: used to download main app
- qvios.od.bb800[.]com: used to download main app
- dp.bb800[.]com: used to download promoted iOS apps
- iosads.cdn.bb800[.]com: used to download promoted iOS apps and malicious components
[1] http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/