With the growing popularity of iPhone users, bad actors are developing more malware and malicious campaigns designed for the iOS platform. The latest analysis by Media Trust's Digital Security & Operations (DSO) claims a new malware called Krampus-3PC has compromised tens and hundreds of iPhone users.
According to the analysis, Krampus-3PC malicious campaign has affected more than a hundred publishing websites, out of which many belong to online publishers, international weekly news magazines based out of UK. The malware campaign has been designed to victimize the iPhone-only consumers and attacks the victims through multiple stages.
How Krampus-3PC attacks iPhones
- To infect the targets, developers of Krampus-3PC malware campaign utilized the shopping season when everyone looks forward to never-before-available deals.
- In the first stage of the attack, Krampus-3PC sends a fraudulent popup message in the victims' iPhone, camouflaging as a reward advertisement or fake gift-card advertisement of a grocery store.
- Once the victim clicks on the awards link URL of the impersonated grocery store page, the malware opens a phishing page and asks the victim for a few personal information.
- While the victim inputs their personal credentials. The malware checks in the device, whether it has been infected already.
- The malware sends this information with victims' personal number back to the hacker for launching more phishing attacks at a later stage. They also collect user session and cookie information and later log into their various social media and online bank accounts.
- The hacker pushes an advertisement through the Adtechstack adtech provider, and later they injected malicious codes into their APIs.
- The advertisement claims to come from a global technology company and to lure the victims', with featuring a renowned brand.
- The malware checks if the device was an iPhone by finding out if the graphic reader vendor was "Apple" and the font style within the browser "style weight small caps". If the results were positive, Krampus-3PC built and executed the payload URL.
- This payload URL later hijacks the browser by replacing the page URL to redirect users to the reward popup. If the redirection failed, it loads the malicious URL onto another tab. The URL would continue to open and load onto a new tab until the redirection succeeds.
The Krampus-3PC compromised all the malware blocker and scanner services installed in the online news websites and online advertisement providers websites. However, the DSO hasn't disclosed the victim websites name yet.
Krampus, a horned, anthropomorphic figure described as "half-goat, half-demon" cult of Central European folklore. He is notorious for punishing the misbehaving children during the Christmas season. He is in contrast with Saint Nicholas, who rewards the well-behaved with gifts. In Europe, Krampus is often depicted as one of the companions of Saint Nicholas during the Christmas season.
"Krampus's name is derived from the German word krampen, meaning claw, and is said to be the son of Hel in Norse mythology. The legendary beast also shares characteristics with other scary, demonic creatures in Greek mythology, including satyrs and fauns," explains National Geographic.