Post

iOS Modern Malware Persistence

Posted Updated
By
1 min read
iOS Modern Malware Persistence

Since the development of SeaShell iOS post-exploitation framework started, I was thinking about persistence techniques that can be applicable to a non-jailbroken (or jailbroken but rootless) iOS systems. So, after few days of brainstorming I came with few ideas that can be used and that I have already implemented in SeaShell.

Persistence

Persistence technique explained below can be used in real malware so be careful

Typically, we use launchctl to achieve persistence on iOS/macOS. However, on non-jailbroken iOS devices (and even on jailbroken ones nowadays, as they are rootless), the root directory (/) is not writable, which means that we cannot write to /Library/LaunchAgents or /Library/LaunchDaemons. Consequently, we are unable to install a .plist file that would launch the payload.

Recognizing the need for a persistence installation method, I came up with an idea: What if we inject the payload into existing user applications? Initially, I considered inserting a dynamic library (.dylib) into the bundle executable of an application, but this would require re-signing the binary. Then, I had another idea: we can replace the bundle executable with a custom binary that will first execute the payload and then call the original executable.

scheme Essentially, our custom executable will use the posix_spawn() function to execute the payload and then use execve() to invoke the original executable. Since execve() replaces the current process image with a new one, this is the optimal approach to launch the application. Below, you can find a diagram illustrating this process using the Calculator.app as an example.

To perform hooking we need:

  1. Patch Info.plist and add CFBundleBase64Hash containing base64 representation of <host>:<port> to connect back to.
  2. Move Calculator to Calculator.hooked. (CFBundleExecutable for other applications)
  3. Upload custom executable that will perform the loading and call it Calculator (CFBundleExecutable for other applications).
  4. Upload mussel payload that will call Pwny and perform connection.
  5. Perform chmod operations on both custom executable and mussel, otherwise posix_spawn() will die with error 13 which is Permission denied.
Post-Exploitation
seashell persistence ios malware
This post is licensed under CC BY 4.0 by the author.