ATT&CK v16 has been released! Check out the blog post for more information.

INSOMNIA

INSOMNIA is spyware that has been used by the group Evil Eye.^[1]

ID: S0463

ⓘ

Type: MALWARE

ⓘ

Platforms: iOS

Version: 1.0

Created: 02 June 2020

Last Modified: 24 June 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1437	.001	Application Layer Protocol: Web Protocols	INSOMNIA communicates with the C2 server using HTTPS requests.^[1]
Mobile	T1634	.001	Credentials from Password Store: Keychain	INSOMNIA can extract the device’s keychain.^[2]
Mobile	T1533		Data from Local System	INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.^[2]
Mobile	T1456		Drive-By Compromise	INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.^[1]
Mobile	T1404		Exploitation for Privilege Escalation	INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.^[1]
Mobile	T1430		Location Tracking	INSOMNIA can track the device’s location.^[2]
Mobile	T1509		Non-Standard Port	INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.^[1]
Mobile	T1406		Obfuscated Files or Information	INSOMNIA obfuscates various pieces of information within the application.^[1]
Mobile	T1631	.001	Process Injection: Ptrace System Calls	INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.^[2]
Mobile	T1636	.002	Protected User Data: Call Log	INSOMNIA can retrieve the call history.^[2]
		.003	Protected User Data: Contact List	INSOMNIA can collect the device’s contact list.^[2]
		.004	Protected User Data: SMS Messages	INSOMNIA can retrieve SMS messages and iMessages.^[2]
Mobile	T1418		Software Discovery	INSOMNIA can obtain a list of installed non-Apple applications.^[2]
Mobile	T1426		System Information Discovery	INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.^[2]
Mobile	T1422		System Network Configuration Discovery	INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).^[2]
		.001	Internet Connection Discovery	INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).^[2]
		.002	Wi-Fi Discovery	INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).^[2]

References

A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.

I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.