Researchers from Google LLC and two cybersecurity companies have identified a set of zero-day exploits in iOS 18.

Google’s GTIG threat intelligence team, Lookout Inc. and iVerify Inc. published their findings today. They named the vulnerability collection DarkSword. It affects multiple versions of iOS 18 that run on hundreds of millions of iPhones.

The researchers first detected the use of DarkSword by hackers last November. According to Wired, a Russian state-sponsored hacking group embedded the exploit chain in several legitimate Ukrainian websites. The malware infected iOS 18 users who visited the websites.

Google determined that several other threat actors have also used DarkSword to launch cyberattacks. Those hacking campaigns targeted users in Saudi Arabia, Turkey and Malaysia. “It is likely that other commercial surveillance vendors or threat actors may also be using DarkSword,” researchers from Google’s GTIG team wrote in a blog post today. 

These cyberattacks reportedly use similar tactics as so-called fileless malware strands that target Windows devices. In a fileless cyberattack, hackers exploit the existing programs on the user’s computer to gain access. Such breaches leave fewer traces on the compromised device, which makes them more difficult to detect.

DarkSword targets Apple’s Safari browser. Its first component is a malicious HTML file embedded in a compromised website. The HTML file downloads a JavaScript file, which “performs some initialization” and subsequently installs a malicious payload.

Google identified two versions of malicious payload. Both variants use a pair of zero-day vulnerabilities to compromise website visitors’ devices. 

The first vulnerability is a memory corruption flaw. It enables hackers to overwrite parts of a targeted device’s RAM with malicious code. The exploit is found in JavaScriptCore, a software component that Safari uses to render the JavaScript code in web pages. 

The other exploit used by the DarkSword payload is a Pointer Authentication Codes bypass. PAC is a feature that detects attempts to temper with the information on a device. It’s designed to protect pointers, data structures that contain the memory location of other data structures.

Safari runs webpages’ code in a sandbox protected by several layers of isolation to reduce the risk of breaches. According to Google, DarkSword uses two different zero-day exploits to bypass those isolation layers. It subsequently installs a module that steals data from iMessage, WhatsApp, Apple Health and other apps along with crypto wallets. 

According to Google, the malware sends data to hackers’ servers via connections encrypted with a “custom binary protocol over HTTP.” The protocol scrambles traffic using two popular cryptography technologies called ECDH and AES.

DarkSword is a “reminder that mobile devices are becoming a primary entry point for sensitive data exfiltration, especially as more business-critical workflows consolidate onto a single device that is rarely monitored with the same rigor as a traditional endpoint,” said Steve Cobb, chief information security officer of cybersecurity startup SecurityScorecard Inc. “Once attackers gain access to credentials or corporate data on a device, they are no longer limited to that phone. They can move into SaaS platforms, cloud environments, and partner systems.”

Affected Apple users can mitigate DarkSword by enabling a security feature called Lockdown Mode. Switching to newer versions of iOS also resolves the issue. Apple has released cybersecurity patches for legacy devices that don’t support a full operating system upgrade. 

The disclosure of DarkSword comes two weeks after Google researchers exposed another, more advanced iOS cyberattack toolkit called Coruna. It has been used by the same Russian hacking group and other threat actors to target iOS versions 13 through 17. Apple patched Coruna ahead of Google’s disclosure.

Photo: Unsplash