Full Report
For a long time I have wondered about getting Meterpreter running on an iOS device using Frida. It wasn’t until I had a Twitter conversation with @timwr that I was reminded of Mettle. It was finally time to give it a try. I built an objection plugin that would load it for you, which you can find here. My talk at DEF CON 27 mainly covered some ideas on how we could interact with live object instances in interesting ways. However, there were also some examples of how we could use Frida’s Module.load() API to side load existing external tooling that come in the form of shared libraries (either by default or wrapping them ourselves). With Mettle targeting low-resource or embedded devices, its native code approach meant it also supported iOS. So if we could get a compiled Mettle dylib, we could load it with Frida. You don’t need Frida to load a dylib of course. Using something like insert_dylib would work just as well. The nice thing about using something like Frida though is that we have some external control over the loading process and any post processing that we may need.
Analysis Summary
# Tool/Technique: Mettle
## Overview
Mettle is a native code command and control (C2) framework component, often associated with Metasploit, designed to function on low-resource or embedded devices. The context describes leveraging a compiled Mettle shared library (`.dylib`) on an iOS device using runtime manipulation tools like Frida to establish a reverse shell connection back to a Metasploit handler, resulting in a Meterpreter session.
## Technical Details
- Type: Tool (C2 framework component/payload)
- Platform: macOS/Darwin, iOS (specifically aarch64 architecture compiled for iOS). The initial testing involved macOS (`darwin.x86_64`).
- Capabilities: Establishing a communication channel to a Metasploit handler, allowing for subsequent Meterpreter post-exploitation capabilities.
- First Seen: Not explicitly stated, but Mettle is part of the broader Metasploit ecosystem. The article was published October 2019.
## MITRE ATT&CK Mapping
The actions described (loading a file and initiating a connection) primarily map to execution and command and control tactics related to file loading and establishing external communication.
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell (Indirectly, through process arguments setup in JavaScript/CModule)
- T1546 - Event Triggered Execution
- T1546.001 - Event Triggered Execution: Native API Execution (By using Frida to inject and call `main()` of the loaded library)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Application Layer Protocol: Web Protocols (Implied C2 channel, likely TCP based)
## Functionality
### Core Capabilities
- **Cross-Platform Compilation:** Mettle can be compiled for various targets, including macOS and iOS (aarch64).
- **Shared Library Execution:** When compiled as a shared library (`.dylib`), it can be dynamically loaded into a running process using APIs like Frida's `Module.load()`.
- **Metasploit Integration:** It functions as a payload that connects back to a Metasploit multi-handler, initiating a Meterpreter session.
### Advanced Features
- **Frida Integration:** Utilizing Frida's `Module.load()`, researchers can dynamically load the compiled Mettle library into a running application instance. This offers external control over the loading process and allows for pre-loading arguments/environment setup via Frida scripting (e.g., setting up `argv[]` using `CModule`).
- **Objection Plugin:** An associated plugin was developed to automate the process of compiling, uploading via Objection's file manager, and then executing the Mettle library through Frida.
## Indicators of Compromise
*Note: As this describes weaponizing a functional tool, specific IoCs require knowledge of the attacker's C2 configuration.*
- File Hashes: N/A (Depends on the compilation of the specific dylib)
- File Names: `mettle.dylib` (The name of the compiled shared library)
- Registry Keys: N/A (Focus is on dynamic loading on iOS)
- Network Indicators: TCP connection initiated to the IP:PORT configured on the Metasploit listener (e.g., `tcp://<IP>:<PORT>`).
- Behavioral Indicators: The invocation of dynamic loading APIs (`Module.load()` in the context of Frida) followed by an unexpected outgoing connection to an attacker-controlled listener.
## Associated Threat Actors
The article explicitly ties this usage to penetration testing/exploitation research (SensePost, DEF CON demonstration), utilizing the open-source Rapid7 Mettle framework. No specific threat actor group is named as the primary user in this context.
## Detection Methods
- **Signature-based detection:** Detection of the specific Mettle library signature if blacklisted, or detection of the Metasploit payload signature upon connection.
- **Behavioral detection:** Monitoring for unauthorized dynamic library loading into running applications (runtime instrumentation). On iOS, detection of specific hooks or manipulation via Frida/Gadget usage. Monitoring for unexpected external network connections originating from mobile applications.
- **YARA rules:** YARA rules could be developed against the static signatures of the compiled `mettle.dylib`.
## Mitigation Strategies
- **Application Hardening:** Ensuring applications are properly hardened against dynamic library injection, especially on jailbroken devices, though this technique targets the runtime environment.
- **Runtime Integrity Checks:** Implementing memory and code integrity checks (if possible on the device OS) to detect runtime modification or unauthorized function execution (like invoking `main` via an external script).
- **Frida Detection/Blocking:** Utilizing tools or techniques designed to detect and counteract Frida injection (though this is an ongoing arms race).
- **Code Signing Enforcement:** While the Mettle dylib must eventually be codesigned to run on a non-jailbroken device, ensuring strict certificate validation during application loading.
## Related Tools/Techniques
- **Frida:** A dynamic instrumentation toolkit used here to load and execute the shared library.
- **Objection:** Used for patching iOS applications to allow Frida injection and for file management to stage the `mettle.dylib`.
- **insert_dylib:** An alternative tool mentioned for loading dylibs without the external control offered by Frida.
- **Metasploit/Meterpreter:** The C2 framework that Mettle is designed to connect back to.