Home / malware IOS.Lastacloud
First posted on 14 December 2014.
Source: SymantecAliases :
There are no other names known for IOS.Lastacloud.
Explanation :
The Trojan horse can be installed on jailbroken iOS devices.
When the Trojan is executed, it drops the following file to install itself:
/var/root/Media/Cydia/AutoInstall/d.deb
Note: The file is deleted once the Trojan is installed.
The Trojan creates the following files:
/usr/bin/C/System/Library/LaunchDaemons/com.apple.tor.plist/usr/bin/cores/usr/bin/cores2
The Trojan connects to the following location to check for an internet connection:
www.apple.com
The Trojan may steal the following information from the compromised device:
Address book contentsICCIDPlatform typeNameModelSystem versionFree spaceTotal spaceCPU frequencyCPU countTotal memoryUsed memoryMax socket buffer sizeLocale identifierLanguage display nameDefault time zoneLocal time zonePhone numberCarrier nameCarrier bundle nameISO country nameConnection stateMAC addressContents of /private/var/root/Library/Lockdown/data_ark.plistSafari history
The Trojan connects to a remote server using information from an encrypted configuration file in the following location:
/usr/bin/cores
The encrypted configuration file contains the following information:
ServerUser namePassword
The Trojan may download and install a package in the following location:
/var/root/Media/Cydia/AutoInstall/
The Trojan may download and install a separate package in the following location:
/usr/bin/cores2Last update 14 December 2014
