We will take a look at the XSSer mRAT iOS malware sample, for our preliminary analysis. If installed, this malware operates in the background of a victim's phone, and the contents of the targeted device are sent to remote servers that appear to be controlled by a foreign government or organization. XSSer mRAT can steal SMS messages, call logs, location data, photos, address books, data from the Chinese messaging application Tencent, and passwords from the iOS keychain.
To analyze malware in the iOS environment perform the following steps:
We unpack the
.deb
file to view the contents of the package. The unpacked directory contains a file calleddata.tar
, which can be further unpacked to thedata
directory.We now explore further, to /data/bin, where we find three files:
com.xsser.0day.iphone.plist
xsser.0day_t
xsser.0day_t.sh
Let's have a look at the
xxser.0day_t.sh
file...