Threat Advisory: XcodeGhost

29 Sep

Threat Advisory: XcodeGhost

in Blog, Perspectives

by Nikfar Khaleeli

Niara's security analytics platform helps organizations detect attacks that have managed to bypass the perimeter and other traditional security infrastructure. Here’s a real-world example on how to detect a recent piece of malware you may have seen in the news called “XcodeGhost”.

What is XcodeGhost?
XcodeGhost is compiler-based malware that targets iOS devices. A rogue version of the Apple Xcode IDE was uploaded to a cloud sharing service and then used by multiple iOS developers to compile iOS apps. These apps, surreptitiously infected with the XcodeGhost malware, got past Apple’s code review process and were then distributed through the App Store serving the Greater China region. XcodeGhost has infected an estimated 4,000 apps, including popular ones like WeChat, and affected hundreds of millions of users. Note that XcodeGhost should not be confused with the Gh0st malware family that primarily targets Windows devices. XcodeGhost exploits Xcode's default search paths, hence the name XcodeGhost.

XcodeGhost steals device and user information and sends it back to a command and control server. The malware encrypts the data and sends it back to the command and control server using HTTP POST. Information that can be stolen by XcodeGhost includes:

  • Application installation type
  • Application name and version
  • Current time
  • Developer info
  • Device’s name, type, UUID, language and country
  • Network type
  • OS version

How does Niara help?
There is publicly available information on how to deal with apps infected with XcodeGhost. However, there are many factors that could prevent the removal of the XcodeGhost malware from within your environment: lack of information about which devices have been infected, users who haven’t followed the actions needed to remove identified infected apps, still undiscovered apps that are infected, continued use of the rogue version of Xcode resulting in newly compiled apps that get infected, etc.

Niara enables security teams to accurately pinpoint all XcodeGhost-infected devices that are on the corporate network. This is possible because Niara’s security analytics can use network data such as packets, network flows, files in addition to security data such as logs, alerts and threat feeds, as input for a broad set of machine learning-based analytics to provide in-depth visibility into attacks happening within an organization. Niara’s machine learning-based analytics crunch through massive amounts of data to analyze each piece in isolation, fully correlate detected anomalies to entities (i.e., users and hosts), and profile entities to detect deviant behaviors.

All analytics are indexed and backed up with a robust evidence chain that extends all the way down to the packet level and can be stored for extended time periods. Because Niara integrates analytics and forensics into one platform, analysts can quickly search through all the information in the platform (even complex queries), including network metadata, for indicators of the XcodeGhost attack.

For example, analysts can quickly search through the evidence chain for network communications to the command and control severs known to be associated with XcodeGhost, and, because of the full correlation done by Niara, identify the devices and compromised users involved. For Niara customers, the specific search queries are:

 http_method:POST AND
http_method:POST AND
http_method:POST AND

Advanced threat hunting skills are needed to detect attacks like XcodeGhost. Niara bolsters these skills for experienced security professionals, allowing them to quickly test out hypotheses and hunt for attacks within the organization over extended periods of time, if necessary. Think of it as the threat hunter’s Disneyland.

If you want to find out more about Niara’s capabilities or see a demo of Niara, please contact us.

Tags: Blog, Perspectives