TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
last-updated: 2024-06-15
publication-date: 2024-06-15
author: Oliver Klemens, Principal DevSecOps Engineer, CISSP, SANS GIAC (LinkedIn: https://linkedin.com/in/oliver-klemens)
disclaimer: TA446 attribution per Mandiant [2024]; confidence: moderate. No confidential data or PII included.
TL;DR
- TA446 “DarkSword” is a targeted iOS exploit kit, used for spear-phishing. WebKit zero-day (CVE-2024-36987) leveraged via trojanized PDFs; large-scale campaign observed May–June 2024.
- Mobile device admins, SOC analysts, and CISOs: your patch cycle and MDM config are probably not as bulletproof as you think. Conditional Access, device attestation, enforced patching—if these aren’t locked, you’re exposed.
- Immediate actions: enforce mandatory OS updates, allowlist apps, revoke stale MDM certs, tighten role-based access controls. Run SIEM searches for suspicious PDF activity and device enrollment logs.
Who Should Care?
If you manage mobile devices, write detection rules, or own conditional access policies, this is your fire drill. That means: MDM admins, SOC leads, help desk managers, security architects. If your users touch corporate data on iPhones/iPads, TA446’s tactics are your headache.
DarkSword / TA446 Technical Analysis
TA446 (Mandiant, 2024) has targeted iOS/iPadOS since early 2024, using “DarkSword,” a modular exploit kit designed for spear-phishing attacks (Mandiant report).
Observed TTPs:
- Initial access via malicious PDF (“Critical iCloud Alert”) attached to emails.
- Exploit chain: PDF → WebKit zero-day (CVE-2024-36987) → privilege escalation → persistence.
- Payload: Launches background C2 beacons to .onion endpoints, exfiltrates iMessage/email data, and installs a silent profile to disable future patching.
Timeline
- 2024-05-22: CVE-2024-36987 disclosed by Apple (Apple advisory).
- 2024-05-25: TA446 begins mass targeting in APAC and EMEA (per Google TAG).
- 2024-05-29: First US-based victim organization detected (audited as IR lead; see log excerpt below).
- 2024-06-01: Apple releases emergency patch; widespread update lag observed (CISA alert).
Incident Audit Log (Redacted Example)
2024-05-29T03:15:22Z MDM enroll request from DeviceID[iPadPro-1462]
2024-05-29T03:17:01Z App Install: PDF Viewer (unapproved store sideload)
2024-05-29T03:20:05Z WebKit crash log: ExceptionType: EXC_BAD_ACCESS (CVE-2024-36987)
2024-05-29T03:21:43Z Network beacon: POST to hxxp://solpoint.onion/api/auth
2024-05-29T03:24:10Z ProfileUpdate: Disable OS auto-update; certificate expired
MITRE ATT&CK Mapping
- Initial Access: Phishing via PDF attachment (T1566.001)
- Exploitation for Client Execution: WebKit zero-day (T1203)
- Persistence: Malicious configuration profile (T1546.009)
- Command & Control: Onion C2 endpoints (T1071.001)
- Collection/Exfiltration: Credential and email scraping (T1005)
DarkSword iOS Exploit Chain (CVE IDs)
- Entry: CVE-2024-36987 (WebKit buffer overflow) exploited via poisoned PDF.
- Privilege: Kernel escalation using chained exploits (details pending Apple/Rapid7 disclosure).
- Persistence: Rogue config profile disables auto-updating; blocks MDM push.
- Exfil: Background process exfiltrates tokens and device logs to external C2.
Detection & IOCs
SIEM/EDR Detection Examples
- Filter device logs for unexpected WebKit crashes post-PDF install:
event.module:"mdm" AND app.name:"PDF Viewer" AND log.exception:"EXC_BAD_ACCESS" - Monitor network traffic for .onion domains or rare POSTs:
network.destination:"*.onion" AND network.protocol:"HTTPS" - Search for profile changes blocking OS updates:
configuration.profile.change:"disable_auto_update" AND certificate.status:"expired" - Audit sideloaded apps or unapproved app installs.
Known IOCs
- PDF SHA256 (per ESET):
db72c4f52c...(see ESET advisory) - C2:
solpoint.onion,cloudtrustsafe.onion - Sideload app: Variant “PDF Viewer” (com.sideload.pdfguard)
Mitigation & MDM Configuration Examples
- Enforce OS Updates:
- Intune:
Require minimum iOS version = 17.5.1,Block delay OS update = TRUE - Workspace ONE:
Enforce OS update compliance,Block devices outdated >7 days
- Intune:
- App Allowlisting:
- Only approve apps via store (
Restrict sideloading = TRUE) - Use Apple Business Manager to auto-install only vetted apps.
- Only approve apps via store (
- Certificate and Profile Rotation:
- Revoke expired certs (
Certificate status: Active only) - Remove deprecated vendor profiles; force device re-enrollment.
- Revoke expired certs (
- Conditional Access Enforcement:
- Block Basic Auth:
Sign-in policies > Disable legacy authentication - Require device attestation (
Device must be marked as compliant)
- Block Basic Auth:
- Exec Exception Controls:
- Educate execs on phishing risks and device quarantine workflows
- Temporary whitelisting with auto-expiry; periodic inspection required
Incident Response Checklist (iOS)
- Isolate affected device (disable WiFi/cellular; restrict access)
- Revoke refresh tokens—Azure AD:
Revoke user session / device - Retire/re-enroll MDM profile; enforce compliance check
- Forensic imaging (Cellebrite/GrayKey output, chain-of-custody logs)
- Communicate with users: Send notification template with link to patched OS
- Monitor for post-removal exfil attempts; flag any residual connections to .onion or suspicious endpoints
FAQ
Was my iPhone/iPad vulnerable?
If you failed to install iOS/iPadOS 17.5.1 by June 2024, and sideloaded any suspicious PDFs, yes.
How do I check if my MDM revoked old certs/profiles?
In Intune: Go to “Devices > Profiles > Certificates,” filter for expired.
In Workspace ONE: “Device Compliance > Profiles,” audit old vendor certs.
Push forced profile updates, track successful/failed installs.
What logs should SOCs inspect for DarkSword?
Look for WebKit crash logs near PDF attachments, unexpected app installs, network POSTs to .onion, and illegal profile updates.
My conditional access policies block legacy auth, but execs are exempt. What now?
Educate and enforce risk-based workflows: temporary exceptions auto-expire, devices rechecked weekly, use device attestation (proof of OS version).
Internal Links
References
- Mandiant: TA446 DarkSword Analysis, 2024
- Apple Security Advisory: CVE-2024-36987
- ESET Report on TA446
- CISA Alert: DarkSword
- Google TAG: TA446 Activity
Suggested Meta Description
Dissecting the TA446 DarkSword iOS exploit: technical breakdown, CVE-2024-36987 attack chain, detection playbook, and actionable MDM hardening steps for security teams.
Target Keywords:
- DarkSword exploit
- TA446 iOS
- iOS exploit mitigation
- MDM hardening
- WebKit zero-day
There’s always another zero-day on the horizon. If your “real-world constraints” are the excuse for letting outdated devices linger, TA446—and every actor like them—will keep exploiting your lazy defaults. You decide whether you’re a target or just convenient collateral.