Operation Pawn Storm is an ongoing cyber-espionage operation primarily targeting opposition to the Russian government, journalists, defense contractors, and the militaries of the United States and it’s allies. Operation Pawn Storm attacks targets using spear phishing emails, legitimate looking domains, and malicious iframes injected into legitimate websites. TrendLabs recently discovered two malicious iOS applications deployed by Operation Pawn Storm.
The first malicious application found by TrendLabs is called XAgent. XAgent can be installed on a stock iOS device using Apple’s ad hoc provisioning, which allows users to users to install applications from websites. The only infection method found by TrendLabs was a web page displaying the text “Tap Here to Install the Application.” After the application has been installed on a device running iOS 7 it’s icon becomes hidden and it immediately begins running in the background. Attempts to kill the application’s process result in it being relaunched immediately. When installed on a device running iOS 8 the application’s icon is not hidden and it is unable to restart automatically.
The second malicious application discovered by TrendLabs is called MadCap. MadCap can only be installed on jailbroken iOS devices and appears to hook iOS’s audio related processes on iOS for the purpose of audio recording. TrendLabs reported that the infection method for this piece of malware was unknown.
Both pieces of malware connect to a command & control server which was live when TrendLabs published their report on February 4, 2015.