A watering-hole campaign using malicious website links to tempt users to install spyware on iPhone was discovered. The attack targeted iPhone users in Hong Kong.
Trend Micro and Kaspersky published their research according to which the “Operation Poisoned News” attack uses a remote iOS exploit chain to deploy a feature-rich implant called ‘LightSpy’ through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.
Watering-hole attacks allows an attacker to compromise a specific group of users by infecting websites that they usually visit, in order to gain access to the victim’s device and load it with malware.
The APT group, dubbed “TwoSail Junk” by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 in all models from iPhone 6 to iPhone X and the attacks were first noticed in January.
In this campaign fake links are posted on multiple forums which are all popular with Hong Kong residents, that leads to several news stories related to topics that are either sex-related, clickbait, or news related to the ongoing coronavirus pandemic.
On clicking the URLs, users are led to legitimate news outlets that have been compromised as well as websites set up specifically for this campaign by the operators. In both cases, a hidden iframe is used to load and execute malicious code. The malicious website created by the attacker contained three iframes that pointed to different sites. The visible iframe leads to a legitimate news site, one invisible iframe was used for website analytics and the last one leads to a site hosting the main script of the iOS exploits.
The malware exploits a “silently patched” Safari vulnerability, which when rendered on the browser leads to the exploitation of a use after free memory flaw that allows an attacker to execute arbitrary code with root privileges. install the proprietary LightSpy backdoor in this situation. The bug was resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.
Besides being capable of remotely executing shell commands and taking full control of the device, the spyware can also contain a variety of downloadable modules that allow for data exfiltration, such as contact lists, GPS location, Wi-Fi connection history, hardware data, iOS keychains, phone call records, mobile Safari and Chrome browser history, and SMS messages.
Also, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.
In order to reduce any threats, the users are advised to keep their devices up-to-date.