CVE
rwx_allocator using multiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland. The kernel exploits are also embedding various internal modules allowing them to bypass kernel-based mitigations such as kernel-mode PAC.PlasmaLoader (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.http://<C2 URL>/details/show.html. The configuration, as well as the additional modules, are compressed as 7-ZIP archives protected with a unique hard-coded password. The configuration is encoded in JSON and simply contains a list of module names with their respective URL, hash and size.{ "entries": [ { "bundleId": "com.bitkeep.os", "url": "http://<C2URL>/details/f6lib.js", "sha256": "6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c", "size": 256832, "flags": { "do_not_close_after_run": true } } ... ] }com.bitkeep.oscom.bitpie.walletcoin98.crypto.finance.insightsorg.toshi.distributionexodus-movement.exodusim.token.appcom.kyrd.krystal.iosio.metamask.MetaMaskorg.mytonwallet.appapp.phantomcom.skymavis.Genesiscom.solflare.mobilecom.global.wallet.ioscom.tonhub.appcom.jbig.tonkeepercom.tronlink.hdwalletcom.sixdays.trustcom.uniswap.mobile<PlasmaLogger> %s[%d]: CorePayload ...<PlasmaLogger> %s[%d]: [PLCoreHeartbeatMonitor] ( =0x%x) CorePayload ...sdkv or x-ts, followed by a timestamp. The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond. The implant embeds a custom domain generation algorithm (DGA) using the string “lazarus” as seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as TLD. The attackers use Google's public DNS resolver to validate if the domains are active.