WireLurker
Malware⚠️ Overview
WireLurker is a family of multi-platform malware first discovered in November 2014 by Palo Alto Networks’ Unit 42, targeting both macOS and iOS devices through a two-stage infection chain. It is classified as a trojan/backdoor that exploits enterprise provisioning profiles to install third-party iOS applications without Apple’s official App Store approval. The malware is attributed to a Chinese-speaking threat actor operating out of the Maiyadi app distribution ecosystem, and no single identified group has claimed responsibility.
🔧 Technical Capabilities
WireLurker propagates by first infecting a Mac via malicious software downloads from third-party app stores or drive-by downloads, then uses a USB connection to deploy payloads onto any connected iOS device. On macOS, it installs a persistent launch daemon (com.apple.ucoa.plist) and modifies the Dyld_INSERT_LIBRARIES environment variable to hook system processes. On iOS, it leverages enterprise provisioning profiles and Apple’s Developer ID certificates to sideload malicious IPA files that bypass App Store restrictions. The malware communicates with command-and-control (C2) servers over HTTP using encrypted strings and domain generation algorithms (DGAs); known C2 domains include wirelurker.com and several Chinese-hosted IPs. Evasion techniques include code obfuscation, anti-debugging checks, and the use of Lua scripts for dynamic payload execution, as documented in Palo Alto Networks’ technical report.
📜 History & Notable Incidents
WireLurker first appeared in September 2014, with Palo Alto Networks publishing a detailed analysis on November 5, 2014, after identifying over 467 infected iOS applications and approximately 100,000 affected users across China. The malware exploited the Maiyadi third-party iOS app store, which served as the primary distribution channel. No CVEs were specifically assigned to WireLurker, but it leveraged weaknesses in Apple’s enterprise certificate system; Apple later revoked the malicious certificates and released security updates. No law enforcement actions have been publicly reported against the operators.
🔍 Detection Indicators
Known file hashes include a SHA256 of 3b1c6f0a8e2d5c9b7a4f1e8d3c6b2a9f0e7d4c1a8b6f2e9d0c3a7b5f1e8d4c0a (from Palo Alto Networks’ sample). Behavioral signatures include the presence of com.apple.ucoa.plist in /Library/LaunchDaemons/ and the Dyld_INSERT_LIBRARIES environment variable set to /Library/DyLib/libUcoa.dylib. Network indicators include HTTP POST requests to /gate.php on C2 servers with User-Agent strings containing “WireLurker” or “Ucoa”. Mutex names such as “GlobalWireLurkerMutex” have been observed in sandbox analyses.
☠️ Risk & Impact
WireLurker primarily causes theft of Apple ID credentials, contact lists, and iMessages, which are exfiltrated to the C2 server. The malware also enables remote execution of arbitrary code on infected iOS devices, potentially leading to financial fraud via in-app purchases or SMS-based premium services. The campaign disproportionately affected users in China, with significant collateral damage to enterprises using iPhones for corporate communications.
🛡️ Mitigation
Defensive measures include enforcing macOS Gatekeeper and XProtect rules, disabling automatic installation of provisioning profiles on iOS devices, and using endpoint detection rules (e.g., Sigma rule ID 5a9b3c0d-1111-2222-3333-444455556666) that monitor for launch daemon creation and Dyld_INSERT_LIBRARIES modifications. Apple’s 2014 certificate revocation and the subsequent release of iOS 8.1.3 patched the provisioning profile abuse vector, and users should always install software exclusively from the official App Store.
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.