New Zorenium Bot Boasts Ability to Run on iOS

UPDATE–The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version that apparently can run on iOS as well.

The Zorenium bot is not one of the brand-name bots that constantly make headlines. The bot is only a few months old and hasn’t yet gained the attention of many researchers. It has many of the same capabilities that other pieces of custom malware have, including from-grabbing, banker Trojan functionality, DDoS and even Bitcoin mining. But it’s Zorenium’s ability to run on recent version of iOS that sets it apart.

“Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium a relatively new and unknown bot, which has been up for sale in the underground from January 2014 is getting new features in its March 18th update, including, also, ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux and Windows based machines. Also, in this update, the developers have updated the rootkit to TDL4 (This making it vulnerable to anti TDSS tools),” Tanya Koyfman and Assaf Keren of the SenseCy blog, run by Israeli company Terrogence, wrote in a blog post on the bot.

Zorenium has been advertised on Pastebin and the first version of the bot was available for direct download via a link posted on Twitter in December. The full release notes for the latest version of Zorenium detail the bot’s full functionality, including its banking Trojan capability and its use of the TDL family of rootkits. TDL, also known as Alureon, is a nasty rootkit that has been around for several years and has been used to build a number of large botnets. The most recent version, TDL4, has a number of advanced capabilities, including the ability to bypass some Windows code-signing requirements.

The Zorenium developer boasts in his notes for the bot that the malware is not detected by any major antimalware products and says that the bot’s processes and other components are protected from being stopped or removed through the use of a number of different methods. The developer also says Zorenium can trick users into thinking their machine is shutting down.

“After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input. Thus means zorenium will throw fake images to make the user believe hes shutting down his machine. Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized ). Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will make a racket making the user believe his or her system is still running,” the notes say.

The base model of Zorenium, without the rootkit and banker Trojan and Bitcoin miner, sells for £350, while the version that includes those modukes goes for £2,000. The Zorenium binary with Tor and P2P capability for command and control sells for £5,000.

The Zorenium malware is related to the Betabot malware, which has been used in attacks against financial institutions and other sites since last year. The FBI issued a warning about Betabot on September, warning consumers that the malware will masquerade as a Windows security warning dialog box.

“Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise,” the FBI warning says.

“Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named ‘User Account Control’ that requests a user’s permission to allow the ‘Windows Command Processor’ to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.”

The security measures, vertical software development and installation model and exploit mitigations included in iOS have made the platform a difficult target for attackers. There have been a small string of code-execution vulnerabilities found in various versions of iOS, many of them discovered by members of the jailbreak community. Apple has patched those, but users who jailbreak their devices typically don’t update them, because that rolls back the jailbreak and restores the normal operating system.

For Zorenium to run on an iOS device, it likely is running on jailbroken phones, unless the bot uses a previously unknown vulnerability in the operating system.

“According to a release note from the developer of the Zorenium malware, dated of the 18th of March, the new version supposedly is able to run on iOS 5-7 , as well as most Debian platforms and the latest Android tablets. One platform stands out of this list, iOS as there aren’t so many threats to run on it. It is currently unclear wether the apple device needs to be jailbroken or not, in order to be infected. However, considering the fact that the Windows versions of Zorenium were far from being advanced threats, it is most likely that it will only run on the jailbroken device,” said Nicolas Brulez, principal security researcher at Kaspersky Lab.

This story was updated on March 20 to add details from the Zorenium release notes. 

Suggested articles