Presentation information

Take care, spyware is slipping into your phones through Operation Poisoned News
FREE REGISTRATION

Take care, spyware is slipping into your phones through Operation Poisoned News

Nelson William Gamazo Sanchez (Trend Micro), Lilang Wu (Trend Micro), Elliot Cao (Trend Micro) & Ecular Xu (Trend Micro)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Downloads

Around January 2020, we discovered a watering hole attack against iOS users in Hong Kong that our team named "Operation Poisoned News". The name came from the tactics employed for targeting users, consisting of designing web pages with multiple iframes to load an iOS exploit and disguising them as local news pages. Links to the crafted web pages were posted on multiple popular forums in Hong Kong and people accessing those links were infected if they had an unpatched iPhone device.

The iOS exploit was designed to exploit iOS versions between 12.1 and 12.2 on several iPhone models up to iPhone X. Once users have been compromised a full spying malware is installed on their phones.

The iOS malware, which we dubbed lightSpy, is a modular backdoor which allows the attacker to remotely execute shell command and manipulate files on the infected device. It’s also implemented with several functionalities for exfiltrating data from the infected device including:

  • Hardware information

  • Contacts

  • Keychain

  • SMS messages

  • Phone call history

  • GPS location

  • Connected Wi-Fi history

  • Browser history of Safari and Chrome


As well as reporting the surrounding environment of device by:

  • Scanning local network IP address

  • Scanning available Wi-Fi networks


There are also modules specifically designed to exfiltrate data from popular messenger applications including QQ, WeChat and Telegram.

The lightSpy malware has a modular design with multiple capabilities including:

  • Modules update

  • Remote command dispatch per module

  • Complete shell command module.

While we were analysing the payload delivered using the iOS exploit, we noticed a decoded configuration file pointing to a URL with the Android name on it. This hints that an Android version of lightSpy related to this campaign probably existed. After further hunting we found that the attackers also targeted Android devices during 2019. We found the campaign posted URL links to a malicious APK file on public Hong Kongese Telegram channels. The message was disguised as promoting a legitimate application to trick people installing the malware on their Android devices. The malware can also exfiltrate device information, contacts and SMS messages. We dubbed the Android malware dmsSpy.

In this presentation we will discuss details of the Operation Poisoned News campaign, and present an analysis of the malware spying on both Android and iOS iPhone devices (lightSpy, dmsSpy).
Nelson William Gamazo Sanchez
Trend Micro Nelson William Gamazo Sanchez is a security researcher at ZDI Threat Hunting Team. He joined Trend Micro in 2014, since when he has worked in multiple areas as reversing engineer, vulnerability analyst and vulnerability researcher. He has worked in the security field since 2000, working in multiple security-oriented companies, including anti-malware and computer forensics companies. He has spoken at several security conferences.
Lilang Wu
Trend Micro Lilang Wu is Security Research Leader at Trend Micro Advance Research Team. He mainly focuses on iOS, MacOS and Android kernel vulnerability discovery and malware hunting, and has disclosed many vulnerabilities. He disclosed the masque attack on iOS named 'IOS_Landmine.A'. He has spoken at several security conferences including BlackHat USA 2019/2018, BlackHat Europe 2018, CodeBlue, HITB and Virus Bulletin.
Elliot Cao
Trend Micro Elliot Cao joined Trend Micro in 2017. A sandbox engine developer and vulnerability/threat/red team researcher, Elliot focuses on browser and Windows kernel vulnerability research. He is a member of SAL team and responsibilities include, hunting 0-days in browsers, reversing and vulnerability research on browsers to deliver RCA for product enhancement.
Ecular Xu
Trend Micro Ecular Xu is a security researcher at Trend Micro. He has experience in discovering mobile threats, reverse engineering and vulnerability research. He has been involved in revealing many threat campaigns including AnubisSpy, GnatSpy, FakeSpy, Bouncing Golf, and the SideWinder Mobile attack. He has also exposed several vulnerabilities on Android and Linux.
arrow left Back

Take care, spyware is slipping into your phones through Operation Poisoned News

Nelson William Gamazo Sanchez (Trend Micro), Lilang Wu (Trend Micro), Elliot Cao (Trend Micro) & Ecular Xu (Trend Micro)
Around January 2020, we discovered a watering hole attack against iOS users in Hong Kong that our team named "Operation Poisoned News". The name came from the tactics employed for targeting users, consisting of designing web pages with multiple iframes to load an iOS exploit and disguising them as local news pages. Links to the crafted web pages were posted on multiple popular forums in Hong Kong and people accessing those links were infected if they had an unpatched iPhone device.

The iOS exploit was designed to exploit iOS versions between 12.1 and 12.2 on several iPhone models up to iPhone X. Once users have been compromised a full spying malware is installed on their phones.

The iOS malware, which we dubbed lightSpy, is a modular backdoor which allows the attacker to remotely execute shell command and manipulate files on the infected device. It’s also implemented with several functionalities for exfiltrating data from the infected device including:

  • Hardware information

  • Contacts

  • Keychain

  • SMS messages

  • Phone call history

  • GPS location

  • Connected Wi-Fi history

  • Browser history of Safari and Chrome


As well as reporting the surrounding environment of device by:

  • Scanning local network IP address

  • Scanning available Wi-Fi networks


There are also modules specifically designed to exfiltrate data from popular messenger applications including QQ, WeChat and Telegram.

The lightSpy malware has a modular design with multiple capabilities including:

  • Modules update

  • Remote command dispatch per module

  • Complete shell command module.

While we were analysing the payload delivered using the iOS exploit, we noticed a decoded configuration file pointing to a URL with the Android name on it. This hints that an Android version of lightSpy related to this campaign probably existed. After further hunting we found that the attackers also targeted Android devices during 2019. We found the campaign posted URL links to a malicious APK file on public Hong Kongese Telegram channels. The message was disguised as promoting a legitimate application to trick people installing the malware on their Android devices. The malware can also exfiltrate device information, contacts and SMS messages. We dubbed the Android malware dmsSpy.

In this presentation we will discuss details of the Operation Poisoned News campaign, and present an analysis of the malware spying on both Android and iOS iPhone devices (lightSpy, dmsSpy).
Nelson William Gamazo Sanchez
Trend Micro Nelson William Gamazo Sanchez is a security researcher at ZDI Threat Hunting Team. He joined Trend Micro in 2014, since when he has worked in multiple areas as reversing engineer, vulnerability analyst and vulnerability researcher. He has worked in the security field since 2000, working in multiple security-oriented companies, including anti-malware and computer forensics companies. He has spoken at several security conferences.
Lilang Wu
Trend Micro Lilang Wu is Security Research Leader at Trend Micro Advance Research Team. He mainly focuses on iOS, MacOS and Android kernel vulnerability discovery and malware hunting, and has disclosed many vulnerabilities. He disclosed the masque attack on iOS named 'IOS_Landmine.A'. He has spoken at several security conferences including BlackHat USA 2019/2018, BlackHat Europe 2018, CodeBlue, HITB and Virus Bulletin.
Elliot Cao
Trend Micro Elliot Cao joined Trend Micro in 2017. A sandbox engine developer and vulnerability/threat/red team researcher, Elliot focuses on browser and Windows kernel vulnerability research. He is a member of SAL team and responsibilities include, hunting 0-days in browsers, reversing and vulnerability research on browsers to deliver RCA for product enhancement.
Ecular Xu
Trend Micro Ecular Xu is a security researcher at Trend Micro. He has experience in discovering mobile threats, reverse engineering and vulnerability research. He has been involved in revealing many threat campaigns including AnubisSpy, GnatSpy, FakeSpy, Bouncing Golf, and the SideWinder Mobile attack. He has also exposed several vulnerabilities on Android and Linux.