CarderPlanet
Professional
Are the two pieces of software related to each other and how can iOS and Android users avoid falling into the Telegram trap?
Researchers have identified a link between DragonEgg, an Android spy software, and LightSpy, a modular surveillance tool for the iOS system.
The first data about DragonEgg, which is associated with the Chinese APT41 group, was presented by Lookout in July 2023. Around the same time, WyrmSpy, another spyware known as AndroidControl, was discovered.
The cybersecurity community learned about LightSpy back in March 2020 as part of the "Operation Poisoned News" campaign. Then the victims of the attacks were iPhone users in Hong Kong.
Hackers tactics were described by mobile security researchers from the Dutch firm ThreatFabric. First, the user must install the Trojan version of Telegram on their device. It is intended for loading secondary malicious code (smallmload.jar), which in turn activates another component called Core.
The analysis showed that LightSpy has been updated regularly since December 11, 2018, with the last update noted on July 13, 2023.
The main LightSpy module (probably DragonEgg) is responsible for coordinating processes. Its tasks include collecting information about the device, establishing communication with the remote server, waiting for further directives, and self-updating. The program processes commands via WebSocket and transmits data via HTTPS.
Several other modules were discovered. For example, WeChat features tools for tracking device geolocation, recording ambient sounds and conversations, and a feature that collects payment history via WeChat Pay.
LightSpy's command and control servers are located in different regions: China, Hong Kong, Taiwan, and Singapore. At the same time, it is interesting that LightSpy and WyrmSpy use the same infrastructure.
On one of the servers found 13 unique numbers belonging to Chinese mobile operators. The researchers concluded that these are either the test numbers of LightSpy developers, or the phone numbers of their victims.
The similarities between DragonEgg and LightSpy are in their configurations, execution structure, and how they communicate with servers. How exactly they are connected is still unclear.
Researchers have identified a link between DragonEgg, an Android spy software, and LightSpy, a modular surveillance tool for the iOS system.
The first data about DragonEgg, which is associated with the Chinese APT41 group, was presented by Lookout in July 2023. Around the same time, WyrmSpy, another spyware known as AndroidControl, was discovered.
The cybersecurity community learned about LightSpy back in March 2020 as part of the "Operation Poisoned News" campaign. Then the victims of the attacks were iPhone users in Hong Kong.
Hackers tactics were described by mobile security researchers from the Dutch firm ThreatFabric. First, the user must install the Trojan version of Telegram on their device. It is intended for loading secondary malicious code (smallmload.jar), which in turn activates another component called Core.
The analysis showed that LightSpy has been updated regularly since December 11, 2018, with the last update noted on July 13, 2023.
The main LightSpy module (probably DragonEgg) is responsible for coordinating processes. Its tasks include collecting information about the device, establishing communication with the remote server, waiting for further directives, and self-updating. The program processes commands via WebSocket and transmits data via HTTPS.
Several other modules were discovered. For example, WeChat features tools for tracking device geolocation, recording ambient sounds and conversations, and a feature that collects payment history via WeChat Pay.
LightSpy's command and control servers are located in different regions: China, Hong Kong, Taiwan, and Singapore. At the same time, it is interesting that LightSpy and WyrmSpy use the same infrastructure.
On one of the servers found 13 unique numbers belonging to Chinese mobile operators. The researchers concluded that these are either the test numbers of LightSpy developers, or the phone numbers of their victims.
The similarities between DragonEgg and LightSpy are in their configurations, execution structure, and how they communicate with servers. How exactly they are connected is still unclear.
