《Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf》由会员分享,可在线阅读,更多相关《Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf(163页珍藏版)》请在三个皮匠报告上搜索。
1、#BHASIA BlackHatEventsYou Shall not PASSAnalysing a NSO iOS Spyware SampleMatthias Frielingsdorf#BHASIA BlackHatEventsMatthias FrielingsdorfVP of Research at iVerifyiOS Malware&Mobile Device Securityhelthydriver#BHASIA BlackHatEventsSeptember 7th 2023#BHASIA BlackHatEventsiOS 9iOS 10iOS 11iOS 12iOS
2、13iOS 14iOS 15iOS 16Infection VectorTargetsDetection&Technical Analysis IOCsDetectionCVEsAttributioniMessageCitizen LabNSOPassKitAttachmentUSA Based Civil Society Forensic AnalysisCVE-2023-41061CVE- Pegasus BLASTPASS Exploit#BHASIA BlackHatEventsSome BlastPass ReportsApple-About the se
3、curity content of iOS 16.6.1 and iPadOS 16.6.1https:/ 7th 2023 https:/citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/Amnesty International-Forensic appendix:Pegasus 0-Clickhttps:/securitylab.amnesty.org/latest/2023/12/pegasus-zero-click-exploit-thre
4、atens-journalists-in-india/iVerify-Clipping Wings:Our Analysis of a Pegasus Spyware Samplehttps:/www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample#BHASIA BlackHatEventsToday#BHASIA BlackHatEventsNo 0-Days revealed#BHASIA BlackHatEventsNo weaponised sample leaked!#BHASIA Bla
5、ckHatEventsBut#BHASIA BlackHatEventsA journey on how we discovered and analyzed the latest sample of NSOs Pegasus Exploit!#BHASIA BlackHatEventsTodayDetecting iOS Malware with Forensic AnalysisShow the Steps which are necessary to unveil the final PayloadDiscuss some Indicators of Compromise for thi
6、s specific sample.123#BHASIA BlackHatEvents#BHASIA BlackHatEventsHow to do Forensic Analysis?#BHASIA BlackHatEventsOBTSv5 In Walled Gardens be care Fun of Poisoned Apples2023Previous iOS Malware Detection Talks2022HITB AMS Poisoned Apples-Current state of iOS Malware DetectionOBTSv6 Poisoned -How do
7、 we find them?https:/objectivebythesea.org/v5/talks.html#Speaker_23https:/conference.hitb.org/hitbsecconf2023ams/session/poisoned-apples-current-state-of-ios-malware-detection/https:/objectivebythesea.org/v6/talks.html#Speaker_28#BHASIA BlackHatEventsOctober 2023-Customer contact#BHASIA BlackHatEven
8、tsPotential compromised device#BHASIA BlackHatEventsCrashlogsTelemetry DataData Sources in this CaseiTunes Backups#BHASIA BlackHatEventsCrashlogsTelemetry DataAnalysis ToolsiTunes BackupsScriptsScriptsMVTData Sources#BHASIA BlackHatEventsiOS Malware Analysis-ToolsBackups-Amnesty Security Lab Mobile
9、Verification Toolkithttps:/docs.mvt.re/en/latest/Crashlogs-Apple Documentationhttps:/ BlackHatEventsExample Suspicious Activities Process starting from/private/var/tmp Process doing Network Calls Files wrote to Disk Process crashes repeatedly#BHASIA BlackHatEvents25x homed Crashes 09:30-10:0010:00-1
10、0:3035 MessagesBlastDoorService Crashes 10:30-11:00Crashlogs#BHASIA BlackHatEventsThats suspicious#BHASIA BlackHatEventsopen-a Console.app Crashes/homed/homed-2023-0*ipsHardware ModelProcessPathIdentifierParent ProcessDate/TimeLaunch TimeOS VersionException TypeTermination ReasonTerminating Processi
11、Phone14,2homed 33317/System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homedhomedlaunchd 12023-0*.*+01002023-0*.*+0100iPhone OS 16.6(20G75)EXC_CRASH(SIGABRT)SIGNAL 6 Abort trap:6homed 33317Homed Crash#BHASIA BlackHatEventsHardware ModelProcessPathIdentifierParent ProcessDate/TimeLaunc
12、h TimeOS VersionException TypeException SubTypeTerminating ProcessTriggered by ThreadiPhone14,2MessagesBlastDoorService 34002/System/Library/PrivateFrameworks/MessagesBlastDoorSupport.framework/XPCServices/MessagesBlastDoorService.xpc/MessagesBlastDoorServicecom.apple.MessagesBlastDoorServicelaunchd
13、 12023-0*.*+01002023-0*.*+0100iPhone OS 16.6(20G75)EXC_BAD_ACCESS(SIGBUS)KERN_PROTECTION_FAILURE at 0 x000000016d2a7f08exc handler 340020open-a Console.app Crashes/MessagesBlastDoorService/MessagesBlastDoorService-2023-0*.*.ipsMessagesBlastDoorService Crash#BHASIA BlackHatEvents0 x1c191e644 _CFStrin
14、gEncodeByteStream+760 x1bbbdfeb0-NSString(NSStringOtherEncodings)getBytes:maxLength:usedLength:encoding:options:range:remainingRange:+2600 x1c1914c70-NSTaggedPointerString getBytes:maxLength:usedLength:encoding:options:range:remainingRange:+1000 x1bbbdec9c-NSString(NSStringOtherEncodings)getCString:
15、maxLength:encoding:+1360 x1bbbdeab8 NSClassFromString+760 x1bbbfe838 _decodeObjectBinary+16480 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:
16、+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 CoreFoundation1 Foundation2 CoreFoundation3 Foundation4 Foundation5 Foundation6 Foundation7 Foundation8 Foundation9 Foundation10 Foundationopen-a Console.app Crashes/MessagesBlastDoorService/MessagesBlastDoorService-2023-0*MessagesBlastDoorServic
17、e Crash#BHASIA BlackHatEvents0 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(N
18、SArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+152*0 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbd6a88 _d
19、ecodeObjectBinary+24360 x1bbbfeb4c -NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+159211 Foundation12 Foundation13 Foundation14 Foundation15 Foundation16 Foundation17 Foundation18 Foundation19 Foundation*507 Foundation508 Foundation509 Foundation510 Foundationopen-a Console.app Crashes/MessagesBlas
20、tDoorService/MessagesBlastDoorService-2023-0*MessagesBlastDoorService Crash#BHASIA BlackHatEventsThats suspicious2#BHASIA BlackHatEventsLets quickly check the Backup!#BHASIA BlackHatEventsIMTransferAgent/com.apple.datausage.messages IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messa
21、ges IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messages IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messages IMTransferAgent/com.apple.datausage.messagesIMTransferAgent/com.apple.datausage.messagesMVT Extract DataUsage.sqlite-2023-0*-WWAN Data12:*12:*12:*12:*12:*
22、12:*Backup#BHASIA BlackHatEventsLibrary/SMS/Attachments/a8/08/*/sample.pkpassLibrary/SMS/Attachments/a8/08/*Library/SMS/Attachments/a8/08MVT Extract Manifest.db-2023-0*-Files12:*12:*12:*Backup#BHASIA BlackHatEventsThats interesting,are there more?#BHASIA BlackHatEventsLibrary/SMS/*/sample.pkpassLibr
23、ary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassMVT Extract Manifest.db-2023-0*-Files12:*12:*12:*12:*12:*12:*12:*12:*Backup#BHASIA BlackHatEventsSuspicious!#BHASIA
24、 BlackHatEventsBut,are those Files in the Backup?#BHASIA BlackHatEventsYes!#BHASIA BlackHatEvents#BHASIA BlackHatEventsls-la sampletotal 175-rw-1 matthias staff 175233 0*sample.pkpassLets have a look!#BHASIA BlackHatEventsSo whats a wallet pass?#BHASIA BlackHatEventsYouApples PKPass format,also know
25、n as PassKit,is the file format used for storing and distributing digital passes for Apple Wallet(formerly known as Passbook).These passes can represent various items such as boarding passes,event tickets,loyalty cards,coupons,and more.The PKPass format is essentially a compressed archive that conta
26、ins all the information needed for the pass to be displayed within Apple Wallet.This includes metadata such as the pass type,organization name,pass serial number,and expiration date,as well as graphical assets such as images and logos.The PKPass file typically has a.pkpass file extension and is esse
27、ntially a ZIP archive that contains JSON files for pass information,along with images and other resources required for display.PassKit provides APIs and tools for developers to create,distribute,and manage digital passes for Apple Wallet,allowing businesses and organizations to offer convenient digi
28、tal alternatives to traditional physical cards and tickets.PWhats apples pk.pass format?Chat GPTAttempt Two#BHASIA BlackHatEventsLets have a look!file sample.pkpasssample.pkpass:Zip archive data,at least v2.0 to extract,compression method=deflatels-la sampletotal 175-rw-1 matthias staff 175233 0*sam
29、ple.pkpass#BHASIA BlackHatEventsls-la sample.pkpasstotal 11480-rw-1 matthias-trail staff 61653 *2023 background.png-rw-1 matthias-trail staff 5795842*2023 logo.png-rw-1 matthias-trail staff 175 *2023 manifest.json-rw-1 matthias-trail staff 18 *2023 pass.json-rw-1 matthias-trail staff 3392 *2023 sign
30、atureThats 5.8 MB!Lets have a look!#BHASIA BlackHatEventsThat logo is huge!#BHASIA BlackHatEventsLets file“againlogoBackgroundWebPPNGmanifestJSONPassJSONSignatureData#BHASIA BlackHatEventsThe WebP Vulnerability#BHASIA BlackHatEvents#BHASIA BlackHatEventsThe WebP 0dayThe WebP VulnerabilityA Vulnerabi
31、lity to Hack The World-CVE-2023-4863https:/ The.webp Vulnerability in 8s(Fuzzing with AFL+)https:/ 24-May 10th-11th BLASTING PAST WEBPhttps:/www.offensivecon.org/speakers/2024/ian-beer.htmlIan Beer#BHASIA BlackHatEvents4Lets take a closer look#BHASIA BlackHatEventsWhats the best tool for Malware Ana
32、lysis?#BHASIA BlackHatEventsStrings!#BHASIA BlackHatEventsstrings logo.pngAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
33、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
34、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
35、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
36、AAAAAAAAFirst try Strings!#BHASIA BlackHatEventsSecond try Strings!strings logo.png|lessRIFFWEBPVP8X*bplist00*_NSCallStackArraystringWithUTF8String:sel_registerNameobjc_msgSendNSClassFromString*dlopenmemcpystrtolallocclass_getMethodImplementationFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),curren
37、tThread),threadDictionary),setObject:forKey:,FUNCTION(#BHASIA BlackHatEvents#BHASIA BlackHatEventsLets extract this bplist file!#BHASIA BlackHatEventsdd if=logo.png skip=1170 bs=1 logo.plist#BHASIA BlackHatEventsYouplutil*plutil-p path/to/your/file.bplistPlistBuddy*/usr/libexec/PlistBuddy-c Print pa
38、th/to/your/file.bplistPWhat are command lines tools I can use to view a bplist file?Chat GPTWhats a BPLIST?#BHASIA BlackHatEvents plutil-p logo.plist|less S5bA=0=value=0 1=0=value=0 1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
39、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAA
40、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
41、AAAAAAAAAAAAAAAAAAAAAAAAA“Second try Strings!#BHASIA BlackHatEvents plutil-p logo.plist*113052=36028797018965100 113053=36028797018964917 113054=36028797018964732 113055=36028797018964549 113056=36028797018964364 113057=36028797018964181 113058=36028797018963996 113059=36028797018965340 113060=36028
42、797018965157 SWxJ=value=0Second try Strings!#BHASIA BlackHatEvents/usr/libexec/PlistBuddy-c Print logo.plist|lessDict SWxJ=Unprintable Data SHVN=Dict SWxJ=Unprintable Data SHVN=Dict SWxJ=Unprintable Data SHVN=Unprintable Data S94R=SRYR=*S2dp=Dict SWxJ=Unprintable Data SHVN=S94R=Array Unprintable Dat
43、a *Second try Strings!#BHASIA BlackHatEvents/usr/libexec/PlistBuddy-c Print logo.plist*1?W?1x+?V?1?W?3p?W?x+?V?1?W?1x+?V?1?WH?1?W3p?W?1?W?x+?1?W?TcWx+?VH?1?W0?3p?Wx?1?W?1?W?x+?V?1?W?1x+?V?3p?W?1?Wh?1x+?VX?1?W?1?W(?1?W?3p?W?x+?Vh?1?W?1x+?V?1?W?1?Wh?3p?W?1?W?1x+?V?r3?W?x+?V0s3?W3p?W?1x+?Vps3?W?r3?Wt3?
44、W?x+?V8?3p?Wt3?W?1x+?V?t3?W?r3x+?V?t3?W?3p?W?s3?Whu3?W?x+?V?u3?W?1x+?3p?W?u3?Wu3?Wxv3?W?x+?V?v3?Wp?3p?W?1x+?V8w3?W8u3x+?Vxw3?W?s3x+?V3p?W?v3?W(v3?W0 x3?W?x+?Vpx3?W?3p?W?TcWx+?V?x3?W?w3?Wy3?W?x+?V?3p?W?y3?Wx3x+?V?y3?W?x3?Wz3?W?3p?W?x3F?z3?Wy3x+?VHz3?Wz3x+?Vx?3p?W03?W?x+?Vp3?W?TcWx+?V?3?W?3p?W?z3?W|3?
45、W?x+?V?|3?W3x+?VH?3p?W?|3?W?3?W3?W?3F?3?W?3p?W|3x+?V3?Wz3x+?V(3?W?x+?V?3p?Wh3?W?1x+?V?3?W?3?W83?W?3p?WHv3x+?Vx3?W?x+?V?3?W?1x+?V?3p?W8?3?W?3x+?V?3?W?3?W Array Unprintable Data Second try Strings!#BHASIA BlackHatEvents#BHASIA BlackHatEventsWe need to understand this better!#BHASIA BlackHatEventsbplis
46、t NSKeyedArchiver#BHASIA BlackHatEvents1Dictionary-Root Object23NRefSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NRefObjectsArrayDictionaryIntegerStringSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NRefObjectsArrayDictionaryIntegerString3356Key
47、8Key 9Array 1N1HelloWorld“ObjectsSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NKeysObjectsArrayDictionaryIntegerString3356Key 8Key 9Array 1N1HelloWorld“ObjectsSimple NSKeyedArchiverRoot#BHASIA BlackHatEventsTime for some Python Magic#BHASIA BlackHatEventsPython MagicImpor
48、t your favourite NSKeyedArchiver Lib e.g.plistlib.pyRead/Understand the Code.Set some Breakpoints if needed.Replace Array/Objects/Dictionaries with their Top Level KeysPrint the result 123456#BHASIA BlackHatEventsAre we better off?cat logo.plist_root.txt|lessParsing Object Ref:0-Dictionary:-Keys(1,2
49、,1,3,1,1,4,1,5,1,1,6)-Keys(7,8,130,166,227,207,242,130,166,227,207,242)Parsing Object Ref:1-String:SWxJParsing Object Ref:2-String:SRYRParsing Object Ref:3-String:SHVNParsing Object Ref:4-String:S69OParsing Object Ref:5-String:S94R*#BHASIA BlackHatEventsAre we better off?cat logo.plist_root.txt*Pars
50、ing Object Ref:260-UID:UID(0)Parsing Object Ref:261-Array:(262,263,263,263,263,263,263,263,263,263,263)Parsing Object Ref:262-UID:UID(0)Parsing Object Ref:263-Data:bx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00
51、 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00*x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00
52、 x00 x00 x00 x00 x00#BHASIA BlackHatEventsYes!We are down to 264 individual objects#BHASIA BlackHatEventsSome interesting onesObject Ref:8(9,10,*,10,11(x15),10,*,10,11(x15),10,*,10,11(x15),10,*,11(x15),10,*10,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,4
53、2,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129)#BHASIA
54、 BlackHatEventsSome interesting onesObject Ref:11-Data:bx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x80&x00 x00 x01x00 x00 x00 x1fx00 x00 x00 x00 x00 x00 x00 x10 x00 x8bVx02x00 x00 x00 xb0 xc31x16x02x00 x00 x00Xxe3x01x00 x00 x00 x00 x00*FUNCTION(FU
55、NCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(eJwtlTWy7UASRBckQ0ymmPGKPTEza/Xz5s8YJ7oio63MjKou8fWCjUQpr8CeRC/8wxol1qgg1hvy/M7Lyyk2GlV3b1JlnId5kxQ27msxE1aF07gO1uagD9h0emvODEJomOGjV7x0EB0OCo8MuUQW/mkKoxcjfdO5Z3042k2TMaDFmE0meIEVDUS/5xi/pSG9X/ZtR83VjaJ
56、wHKcIhqYoyhxjfV23rvcTOJFtaiWQtrXWoMVtRmx+oGnuGgyTPNTlSNRlUdTlQfjhelJM3Zbh6k8g0k5QpF9dUxrDOUeCq6wsOknHKUkrKUnHGiTzUz5udFvTcFs9d1t7/xg2AYw8sMzcM5weNniprGpXXY0QRwxN3znxZGrw2cO47Za8HkdMVMtGXqpOxVtL+xg+ALRpVIbkZNYPirnNcIovd9ARC0tMvMxHdrO6vO7cBFgJVX5iqHjiyQ56zpwhNsT7jcBx14SYHFW1d7xihDBDNQ9BqMAVFpJ5DYNddLw
57、yQAoSD7DsZviErXgwwECl2xrlnZoYr9Adg5NMT7fKQjLqCIqZrcATxV+UvNMth283C97uB4h2yWIXJvgQ9kaUFIHsS7daVtVbeHBaVLTmAQqAvWsg5Y3APYEPn5Gi4Shtz3Jq/zcVliJfrGVN3VQwi8s1Q37/uwEle/fkbm7BGe+N2hesZvk/NeNpbjHl4tcbwPLHGRCl/WtwJ+GRqAzDYR1YSPiVxqPffhxf+BJlG6wS0g/5feaf9ptWKq1TMFnrP3tXZqp/goPIEOz5/LRu4jwqFFRQEGw0im6iaw2+9kQ
58、mNXjn0tZuWfhlEzpOcrbssLZs*#BHASIA BlackHatEventsThats our payload!#BHASIA BlackHatEvents4Some interesting onesObject Ref:182AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObject Ref:25
59、4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObject Ref:259-Array:(260,11,11,11,11,11,11,11,11,11,11)#BHASIA BlackHatEventsMentioning of Payload 0#BHASIA BlackHatEventsLets inspect that payload!#BHASIA BlackHatEventsThe PayloadBinary StuffBinary+StringsNSExp
60、ressionBinary+Stringsx00*x00Binary StuffBinary+StringsNSExpressionBinary+Stringsx00*x001 MB of Binary DataWhats does this do?Whats does this do?Whats does this do?Whats does this do?Whats does this do?#BHASIA BlackHatEventsThe PayloadBinary StuffBinary+StringsNSExpressionBinary+Stringsx00*x00Binary
61、StuffBinary+StringsNSExpressionBinary+Stringsx00*x001 MB of Binary DataWhats does this do?Whats does this do?Whats does this do?Whats does this do?Whats does this do?#BHASIA BlackHatEvents#BHASIA BlackHatEventsWhats an NSExpression?#BHASIA BlackHatEventsFUNCTION(Receiver,SelectorName,Arguments,.)htt
62、ps:/ BlackHatEventshttps:/ BlackHatEventsSee No Eval:Runtime Dynamic Code Execution in Objective-CNS Expression LinksCode Coloristhttps:/codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/FORCEDENTRY:Sandbox EscapeGoogle Project 0(Ian Beer&Samuel Gro)https:/ USA 2023-Apples Predicament
63、:NSPredicate Exploits on iOS and macOSAustin Emmethttps:/ the Safari Sandbox in iOS 16 Ian Beerhttps:/objectivebythesea.org/v6/talks.html#Speaker_12#BHASIA BlackHatEventsWhy is this still possible?#BHASIA BlackHatEventsFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),
64、setObject:forKey:,FUNCTION(PAYLOAD-CS,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,cs)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-C,componentsJoinedByString:,).a
65、af_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,c)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-X).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,x)FUNCTION(F
66、UNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(PAYLOAD,componentsJoinedByString:,),decompressedDataUsingAlgorithm:err
67、or:,FUNCTION(3,intValue),nil),bytes),nil),expressionValueWithObject:context:,833335023,nil)=1Structure of the NSExpression PayloadPayload-CS12Payload-C1.3Payload-X1.41Payload1.5#BHASIA BlackHatEventsFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject
68、:forKey:,FUNCTION(PAYLOAD-CS,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,cs)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-C,componentsJoinedByString:,).aaf_toBase
69、64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,c)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-X).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,x)FUNCTION(FUNCTION(F
70、UNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(PAYLOAD,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCT
71、ION(3,intValue),nil),bytes),nil),expressionValueWithObject:context:,833335023,nil)=1Structure of the NSExpression PayloadPayload-CS12Payload-C1.3Payload-X1.41Payload1.5First executed Payload#BHASIA BlackHatEvents4FUNCTION(FUNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expre
72、ssionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(7Z0Jb9tIsoDfT8kb7IM3oyDi2WwGGGB,*,=,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),n
73、il),expressionValueWithObject:context:,833335023,nilStructure of PayloadPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsLets be naive and just try#BHASIA BlackHatEventsLets be naivebase64-d-i payload.txt?o?H?O?7?ltP?M?D?H?lgl?;?LQ4?_r?z.r?.?O(?JJ?(?n?f!?Vh?PL?0?n?s|D2?xzF?ag;?n?o
74、wRD?/z?I?7?U?5?k?:|?;?sG?;?r?r?T?8h?R?2?e?a?BJl?W/?;?it?qD?ON?n,?_?dOJj?7?x?v?=Ee?Z?|?=9:?E?a?Pb?ptq?gBE?f?&?v?NI?5Y?4F?fG?IC?%?;_?m)i?E?-?K?r/?t?4?$M|?3?xZ?7*?3?master CoreFoundation.frameworkNSData.h.CUTDecompressData;-(id)_CUTOptionallyDecompressData;(id)_CUTStringFromBaseData;/Image:#BHASIA Blac
75、kHatEvents#BHASIA BlackHatEventsLets search on GitHub for aaf_toBase64DecodedData?#BHASIA BlackHatEvents#BHASIA BlackHatEvents#BHASIA BlackHatEventsSo lets import“those Frameworks and lets try again#BHASIA BlackHatEventsDecoding Payload-CSNSLog(Decompressed String:%,decompressedPayloadCSString);bpli
76、st00*Q0Q1R10R11R12R13R14R15R16R17R18R19Q2R20R21R22R23R24R25R26R27R28R29Q3R30R31R32R33R34R35R36R37Q4Q5Q6Q7Q8Q9_iPhone10,1:20E247_iPhone10,1:20E252_iPhone10,1:20F66_iPhone10,1:20F75_iPhone10,1:20F770750d_iPhone10,1:20G75_iPhone10,2:20E247_iPhone10,2:20E252_iPhone10,2:20F66_iPhone10,2:20F75_iPhone10,2:
77、20F770750d_iPhone10,2:20G75_iPhone10,3:20E247_iPhone10,3:20E252_iPhone10,3:20F66_iPhone10,3:20F75_iPhone10,3:20F770750d_iPhone10,3:20G75_iPhone10,4:20E247_iPhone10,4:20E252_iPhone10,4:20F66_iPhone10,4:20F75_iPhone10,4:20F770750d_iPhone10,4:20G75_iPhone10,5:20E247_iPhone*Payload-CSPayload-CPayload-XP
78、ayloadBplist!#BHASIA BlackHatEvents#BHASIA BlackHatEventsLets have a look at the PLIST file#BHASIA BlackHatEventsDecoding Payload-CSNSLog(Decompressed String:%,decompressedPayloadCSPlist);28:s10.3:-149170296,s9.7.7:-15977552,s10.2:-896240284,s9.7.8:-15977544 ,iPhone10,4:20F75:10,iPhone10,4:20F770750
79、d:10,29:s10.3:-125850544,s9.7.7:80343472,s10.2:-912122464,s9.7.8:80343480 ,iPhone10,6:20E247:27,*Payload-CSPayload-CPayload-XPayloadiPhone Model+BuildNo iPads!#BHASIA BlackHatEvents#BHASIA BlackHatEventsTwo done!Two to go!#BHASIA BlackHatEventsMentioning of Payload-CLines 99-115Function(OCMapper.Cla
80、ss mapperForCurrentThread,setObject:forKey:,Function(NSData.Class alloc,initWithBase64EncodedString:options:,OCMapper.Class mapperForCurrentThread.c,1 intValue),a106c512d6e4353b)Function(OCMapper.Class mapperForCurrentThread,setObject:forKey:,Function(OCMapper.Class mapperForCurrentThreada106c512d6e
81、4353b,decompressedDataUsingAlgorithm:error:,3 intValue,nil),ac7fbd150d686fba)Function(OCMapper.Class mapperForCurrentThread,setObject:forKey:,Function(NSPropertyListSerialization.Class,propertyListWithData:options:format:error:,OCMapper.Class mapperForCurrentThreadac7fbd150d686fba,nil,nil,nil),abfd1
82、3dbf88776d2)Payload-C!Another Compression FormatPayload-C=Another PLISTPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsFUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(eJwVljWS5UAQRA8kQ0ymmJnlSV/MTKffWa+jIpqyIN+Wdup3vljxK68pQJicn6/eQmM+hBmK9
83、hgRVlVt7aFhzFWDec0lHks+p91pjxj07WA0wUgYGilva91S6IDS89wGKKdS6rQykeoLJMcDBSks+SkKocx1aGkuxxBewYDgudvgi2HIjkSFhco2PVKrL46UZV1Dc3SITwME/*4B+P4kRAALYY1Gl9dNvp+MAjgvxOsqiH625zHBF6B56SjeFCBl1L9A5q/bVI=,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64Decoded
84、String,c)Structure of Payload-CPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsDecoding Payload-CNSLog(Decompressed String:%,decompressedPayloadCPlist);a46aac1d87209cc3:FUNCTION(TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab414b48d50d82b9=nil,FUNCTION(0,hash,FUNCTION(FUNCTI
85、ON(CAST(OCMapper,Class),mapperForCurrentThread),setObject:forKey:,FUNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(Pay
86、loadInsidePayload-C,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),ab414b48d50d82b9),1),FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab414b48d50d82b9LAST,expressionValueWithObject:context:,833335023,nil)Payload-CSPayload-CPa
87、yload-XPayloadPayload!#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsDecoding Payload inside Payload-CNSLog(Decompressed String:%,PayloadInsidePayloadCPlist);FUNCTION(0,hash,1),FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a5
88、749a0c51e8429b,performSelector:withObject:withObject:,FUNCTION(FUNCTION(CAST(NSExpression,Class),expressionForFunction:selectorName:arguments:,FUNCTION(CAST(NSExpression,Class),expressionForAnyKey),setArgument:atIndex:,nil),selector),FUNCTION(FUNCTION(CAST(_NSPredicateUtilities,Class),add:to:,24,FUN
89、CTION(CAST(NSNumber,Class),numberWithUnsignedLongLong:,FUNCTION(CAST(NSValue,Class),valueWithPointer:,FUNCTION(709551614,unsignedLongValue),pointerValue),nil)*FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,3VVZr5tGGO*.*Mo7XVCGDrEMJ8lPdxneZ75p0I+jt9go
90、59+Aw=),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),a776c8627453a6b9),1),FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a776c8627453a6b9LAST,a65f00c73b1c7996),FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)Payload-CSPayload-CPayloa
91、d-XPayloadAnother Payload#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsDecoding Payload inside Payload inside Payload-CNSLog(Decompressed String:%,PayloadInsidePayloadInsidePayloadCPlist);TERNARY(FUNCTION(CAST(OCMapper,Class),mapp
92、erForCurrentThread)a5469019921478efFUNCTION(CAST(_NSPredicateUtilities,Class),from:subtract:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)*FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,zVdNb9pAEO1P4ZQ
93、Nkg/*.*7wGw=),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),acd9421026604f20)Payload-CSPayload-CPayload-XPayloadAnother Payload#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload Inside Compressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsN
94、SLog(Decompressed String:%,PayloadInsidePayloadInsidePayloadInsidePayloadCPlist);TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a02bb2d41a4a6c3a48&FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab2b4adedcace459=nil,*a02bb2d41a4a6c3a),a02bb2d41a4a6c3a),FUNCTION(0,hash,FUNCTION(FUN
95、CTION(CAST(OCMapper,Class),mapperForCurrentThread),setObject:forKey:,FUNCTION(CAST(_NSPredicateUtilities,Class),from:subtract:,FUNCTION(),FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a2fcc0e6725476c2,expressionValueWithObject:context:,nil,nil),0)Decoding Payload inside Payload insid
96、e Payload inside Payload-CPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsFinally no more payloads!#BHASIA BlackHatEventsThree down.One to go.#BHASIA BlackHatEventsNo mention of x“in Payload,Payload-C#BHASIA BlackHatEventsFormatted PayloadLines 2487-2497Function(NSKeyPathExpression.Class su
97、perclass,expressionWithFormat:,Function(NSString.Class,stringWithUTF8String:,Function(Function(Function(NSData.Class alloc,initWithBase64Encoding:,7V1bT+NIFtWLFoFVxCAAABYHEne9Xi2vboxN0U2cbqjFidEasz+l6d8aw7do9fCHDFSB8grZElUBHFDFbTSralxq21CUBBoBj2mEuksZiWVzepmwvCAVv/*.*+As=componentsJoinedByString:,),
98、decompressedDataUsingAlgorithm:error:,3 intValue,nil),bytes),nil),ab99f0dd78089b31),Payload-CSPayload-XPayload-CPayloadAnother Payload#BHASIA BlackHatEventsMore payloads#BHASIA BlackHatEventsNSLog(Decompressed String:%,payloadInsidePayload);TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThrea
99、d)a02bb2d41a4a6c3a100&FUNCTION(CAST(NSDate,Class),mt_millisecondsSince1970)FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)af84949d6657831d,*FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64
100、EncodedData:options:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)x,nil),a2888b59b5914536)*Compressed Payload inside PayloadPayload-X!Payload-CSPayload-XPayload-CPayload#BHASIA BlackHatEventsPERFECT!4#BHASIA BlackHatEventsNSLog(Decompressed String:%,payloadInsidePayload);TERNARY(FUNCTION(CAS
101、T(OCMapper,Class),mapperForCurrentThread)a02bb2d41a4a6c3a100&FUNCTION(CAST(NSDate,Class),mt_millisecondsSince1970)FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)af84949d6657831d,*FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(C
102、AST(NSData,Class),alloc),initWithBase64EncodedData:options:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)x,nil),a2888b59b5914536)*FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a2888b59b5914536,fc_
103、decryptAESSIVWithKey:additionalData:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a22990eb91e7ea79,nil),abc310bdbde1a724)Compressed Payload inside PayloadPayload-X!Encrypted!Payload-CSPayload-XPayload-CPayload#BHASIA BlackHatEventsNo Key in clear sight#BHASIA BlackHatEvents#BHASIA BlackHatEv
104、ents#BHASIA BlackHatEventsIs this the end?#BHASIA BlackHatEventsMaybe#BHASIA BlackHatEventsBut there is more to discover!#BHASIA BlackHatEventsHomed Crashes?#BHASIA BlackHatEventsNSExpression Bypass?#BHASIA BlackHatEventsSandbox Escape?#BHASIA BlackHatEventsPAC Bypass?#BHASIA BlackHatEventsImplant?#
105、BHASIA BlackHatEventsCommand&Control Structure?#BHASIA BlackHatEventsTo be continued#BHASIA BlackHatEventsSummaryplistBackupRef 11IMTransferAgentsample.pkpasslogo.pngNSExpressionPayloadPayloadPayload-CPayloadPayloadPayloadPayload-XEncryptedPayload-CSConfigMessagesBlastDoorCrashes#BHASIA BlackHatEven
106、tsSummary-IOCslogo.pngPayloadPayload-CSPayload-CConfigPayloadBackupplistRef 11MessagesBlastDoorCrashesIMTransferAgentsample.pkpassNSExpressionPayloadPayloadPayloadEncryptedPayload-XAAAAAAAAAAFUNCTION(PNG!=WebP#BHASIA BlackHatEventsSummarised Open QuestionsHow was NSExpression executed?Bypass NSExpre
107、ssion mitigations?Encryption Key?Sandbox Escape,Mitigation Bypasses?Command&Control Structure?Implant?Homed Crashes?1234567#BHASIA BlackHatEventsPlease contact us at infoiverify.io!If you got an Apple Threat NotificationIf you believe your iPhone is compromisedAnd you need help#BHASIA BlackHatEventsBlack Hat Asia Sound BytesiOS Forensic investigation works!We need more scale!iOS Vulnerability Mitigations are bypassed with more VulnerabilitiesSpyware vendors tend to reuse(very complex)Exploitation Frameworks123