More than a week ago, Unit42 of Palo Alto Networks revealed the existence of WireLurker – a iOS specific trojan capable of capturing sensitive user data. This blog post will be looking at a month’s worth of DNS traffic history to the two sites associated with WireLurker.

WireLurker was delivered to the user via unsanctioned third-party apps. The WireLurker network infrastructure was composed of two components – a delivery mechanism and a command and control (C2) server. The authors of WireLurker used the popular third-party app site app[.]maiyadi[.]com to deliver seemingly benign apps to user. Once infected, the trojan would contact the C2 server comeinbaby[.]com.

Let us first take a look at the historical traffic pattern of app[.]maiyadi[.]com and comeinbaby[.]com. Looking at the traffic graph for a months worth of traffic for app[.]maiyadi[.]com shows that it follows a typical diurnal pattern. Upswings during the day and downswings during the night. This is the sort of traffic that would be associated with a website attracting normal traffic.

Traffic for app[.]maiyadi[.]com

Screenshot 2014-11-14 14.16.46

The traffic for comeinbaby[.]com is far more interesting. Looking at traffic from Oct 18 – 20, one observes an almost constant level of traffic to the website. This could indicate that there was a high level of  communication between C2 server and infected host. The 21st sees a brief spike in traffic and then an increase in overall traffic. Surprisingly, this upswing in traffic is not maintained as traffic dips back down to Oct 18 – 20 levels. The large spikes seen towards the end of the graph came from Palo Alto’s announcement.

Traffic for comeinbaby[.]com

Screenshot 2014-11-14 14.11.47

The sample DNS query data for comeinbaby[.]com and app[.]maiyadi[.]com analyzed came from Oct 20th, Oct 25th and Nov 6th. We wanted to examine the behavior of the site around the time of spike activity and normalcy.

As was expected, the majority of traffic came from ASNs located in either Hong Kong or mainland China. During the Nov 6th spike we also noticed an increase in traffic to both sites from Europe and the US. An investigation into these new visitors led us to conclude that they were not infected users but instead security researchers who had heard Palo Alto Network’s announcement. A quick look at our sinkhole validates this as there are numerous connections to the comeinbaby[.]com domain from machines not using mobile browser user agents.

Screenshot 2014-11-14 13.51.48

With user agent strings that appear to be associated with a PC’s browser, and not a mobile device’s browser.

Screenshot 2014-11-14 13.55.37

What we wanted to examine were infected user interactions with the server. We created a set of users who had interacted with both comeinbaby[.]com and app[.]maiyadi[.]com on October 20th and 25th. Examining the DNS traffic history from this set showed some interesting behavior such as the frequent communication between the infected user and the C2 server. This frequent communication between user and server could possibly indicate that these were users infected with WireLurker A. WireLurker A had a daemon process that frequently made pull updates from the command server.

With regards to co-occurring domains, it was quite interesting that comeinbaby[.] had absolutely no co-occurring domains. You can see its isolation in the OpenGraphiti model.

hd-shot

Conversely, the app[.]maiyadi[.]com had numerous co-occurring domains including several that we have previously identified as malicious.

hd-shot2

We will continue to monitor the WireLurker domains for interesting variations as time goes on. One initial observation is that an IP associated with a known malicious actor from Ukraine also visited comeinbaby[.]com. This actor will continue to be tracked and, should any relevant attribution be discovered, the methods will be discussed in a future blog post. Look for further blog posts on this event that clarify our findings as the data rolls in.

This post is categorized in: