ELEGANTBOUNCER is a detection tool for file-based mobile exploits.
It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990).
Threat Name | CVEs | Supported |
---|---|---|
FORCEDENTRY | CVE-2021-30860 | ✅ |
BLASTDOOR | CVE-2023-4863, CVE-2023-41064 | ✅ |
TRIANGULATION | CVE-2023-41990 | ✅ |
elegant-bouncer v0.2
ELEGANTBOUNCER Detection Tool
Detection tool for file-based mobile exploits.
A utility designed to detect the presence of known mobile APTs in commonly distributed files.
Usage: elegant-bouncer [OPTIONS] <Input file>
Arguments:
<Input file>
Path to the input file
Options:
-v, --verbose
Print extra output while parsing
-s, --scan
Assess a given file, checking for known vulnerabilities
-c, --create-forcedentry
Create a FORCEDENTRY-like PDF
-h, --help
Print help information (use `-h` for a summary)
-V, --version
Print version information
Use --scan
to assess a given file, checking for known vulnerabilities.
Use --create-forcedentry
to generate a PDF from the ground up designed to exploit CVE-2021-30860. Work in progress.
Note: Pre-made samples can be found in the samples/
directory.
Use Lockdown Mode to decrease your attack surface if you think you are a person of interest.
- Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky
- Apple Security Engineering and Architecture (SEAR)
- Bill Marczack
- Jeff for helping me understand FORCEDENTRY
- Valentina for suggesting this target
- Ian Beer and Samuel Groß of Google Project Zero for their amazing write-up on the sample shared by Citizen Lab with them.
- @mistymntncop for our exchanges and his work on CVE-2023-4863
- Ben Hawkes