At the end of the exploitation chain, a stager binary called PlasmaLoader (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.

The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.

tech

Yikes.

> At the end of the exploitation chain, a stager binary called PlasmaLoader (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.
>
> The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.