INSOMNIA is spyware that has been used by the group Evil Eye.[1]

ID: S0463
Platforms: iOS
Version: 1.0
Created: 02 June 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

INSOMNIA can retrieve the call history.[2]

Mobile T1432 Access Contact List

INSOMNIA can collect the device’s contact list.[2]

Mobile T1418 Application Discovery

INSOMNIA can obtain a list of installed non-Apple applications.[2]

Mobile T1412 Capture SMS Messages

INSOMNIA can retrieve SMS messages and iMessages.[2]

Mobile T1540 Code Injection

INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.[2]

Mobile T1533 Data from Local System

INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.[2]

Mobile T1456 Drive-by Compromise

INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.[1]

Mobile T1404 Exploit OS Vulnerability

INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.[1]

Mobile T1579 Keychain

INSOMNIA can extract the device’s keychain.[2]

Mobile T1430 Location Tracking

INSOMNIA can track the device’s location.[2]

Mobile T1406 Obfuscated Files or Information

INSOMNIA obfuscates various pieces of information within the application.[1]

Mobile T1437 Standard Application Layer Protocol

INSOMNIA communicates with the C2 server using HTTPS requests.[1]

Mobile T1426 System Information Discovery

INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.[2]

Mobile T1422 System Network Configuration Discovery

INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).[2]

Mobile T1509 Uncommonly Used Port

INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[1]