INSOMNIA
INSOMNIA is an iOS spyware implant associated with China-linked espionage activity targeting Uyghur activists, journalists, and dissidents. Reporting links its deployment to the threat actor tracked as Earth Empusa / Evil Eye, and Volexity assessed it was likely the same group behind earlier iOS implant exploitation described by Google Project Zero. The malware was delivered via malicious JavaScript and a WebKit-based exploit chain served from compromised or look-alike Uyghur- and Turkish-themed websites in watering-hole attacks. Volexity reported the exploit worked against iOS 12.3, 12.3.1, and 12.3.2, and that the exploited vulnerability appeared patched in iOS 12.4. If exploitation succeeded, a Mach-O payload wrote the implant to /tmp/updateserver and executed it with elevated entitlements as root; Volexity noted the implant lacked a persistence mechanism.
Observed capabilities include collection of the device phone number, ICCID, IMEI, active network interface, device name, serial number, iOS version, total and free disk space, contact list, SMS messages, iMessages, call history, device photos, and application database files and third-party app container directories, including Gmail and Hangouts data. Volexity also reported the updated implant targeted data from Signal, ProtonMail, and WeChat. INSOMNIA communicates with command-and-control infrastructure over HTTPS requests, and the updated version validated its C2 using an embedded certificate and refused to operate if validation failed. Reported infrastructure and delivery indicators include exploit delivery via cdn.doublesclick[.]me and malicious JavaScript observed on strunhvgpk[.]com, with related infrastructure including sslportservices[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
If the exploit is successful, a new version of the implant described by Google will be installed onto the device. Volexity refers to this implant by the name INSOMNIA.
"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."
"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites.”
Initial Access
2 techniques“Compromising and impersonating news websites… compromised legitimate websites frequently visited by their targets as part of watering hole attacks… Some of these web pages contained malicious javascript code… which installed iOS malware known as INSOMNIA…”
“Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.”
Execution
1 technique“Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised.”
Stealth
1 technique“only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.”
Discovery
1 techniqueAbstractEmu can collect device IP address and SIM information; Android/SpyAgent has collected device network information, such as the IMEI and the phone number; ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI; many listed mobile malware families collect IMEI, IMSI, ICCID, MEID, serial number, phone number, MAC address, IP address, carrier, MCC/MNC, and related device/network identifiers.
Collection
1 techniqueAbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.
Command and Control
1 techniqueAbstractEmu can use HTTP to communicate with the C2 server; AhRat can communicate with the C2 using HTTPS requests; BRATA can use both HTTP and WebSockets to communicate with the C2 server; LightSpy has used both HTTPS and Websockets to communicate with the C2.
IOCs tracked for this family
21 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware involved in a healthcare-sector breach claim.
Android malware that collects application databases, photos, and third-party app container directories.
Spyware that collects app database files, photos, and third-party app container directories.
Spyware that collects app database files, photos, and third-party app container directories.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.