WireLurker

WireLurker is a Trojan downloader that compromises macOS PCs and iPhones through bundling itself with other applications. WireLurker may use multiple techniques for installing other threats onto the system and transfer device and user information to an attacker's server. In addition to the recommendation of avoiding unofficial application stores, most standard anti-malware precautions for these environments should block and remove WireLurker through the usual security solutions.

What Lurks in that Hot New Application

Social engineering plays a vibrant role in the installation stages of most Trojans' campaigns, which was true even back in 2014. At that time, extensive analysis of a new threat to macOS devices made headway through creative abuse of bundling itself with desirable software. Although many of WireLurker's tricks aren't new, today, years ago, it was a foreboding warning of worse and more sophisticated black hat programming to come.

WireLurker is a Trojan downloader that uses several means of installing other threats onto the system. It also can harvest some device and user information, although malware experts don't see the Trojan using these features for exfiltrating, for instance, passwords. The Trojan is specific to macOS systems, iPhone mainly, but includes a Windows port of its installer – for compromising Windows users who own Mac devices.

WireLurker pretends that it's a video player or other application for iPhones and bundles the software's real version as a distraction. At that time, victims may see discrepancies such as requests for their admin passwords, automatically-installing unwanted applications and network connections to the Trojan's C&C domain ('comeinbaby.com'). The websites that distribute it tend to be unofficial (IE, not Apple's) application storefronts for Chinese phone owners.

What's Coming through WireLurker's Wires

WireLurker is compatible with both jailbroken and non-jailbroken phones. While malware analysts haven't examined all WireLurker payloads conclusively, the Trojan uses notably technically-interesting tactics for delivering them. Some of the more standout features in WireLurker include:

• The Trojan uses USB-based monitoring via a standard library for triggering activities between infected computers and devices.
• It may install or re-install Trojan-compromised versions of applications.
• It can create backups of applications (for restoration, as per the above re-installation feature).
• The Trojan also can install threats as DLLs, which may draw less attention from the device's owner.
• It can run its code through system applications' processes via memory injection.

The Trojan also updates itself, which increases the flexibility of any payloads and C&C configuration options.

The emphasis on re-packaging applications shows that WireLurker's threat actor is reasonably-proficient and demonstrates an understanding of application distribution models. Using standard security solutions for the relevant devices and PCs is essential for removing WireLurker before it causes any harm through additional threats or collects confidential information. Although this Trojan downloader is old, there are at least three builds in the wild, all of which endanger users' privacy and security.

WireLurker might seem like nothing special from the point-of-view of 2020, but at the time of its arrival onto the threat landscape, it was more than a little creativity. That it used its cleverness as a brute-force weapon against its victims' security within China is lamentable, but a demonstration of black hat prowess that no one should forget.