The malware, also known as F_Warehouse, is a modular tracking platform for iOS and Android, allowing it to steal a wide range of data from mobile devices, including files, screenshots, geolocation, conversation recordings and WeChat payment information, as well as data from Telegram and QQ Messenger.
The new version of LightSpy for macOS confirms the broad scope of the tool, previously known only for Android and iOS devices.
The attackers behind the framework use it to attack targets in the Asia-Pacific region.
According to a new report from ThreatFabric, the macOS implant has been active in the wild since at least January 2024.
However, it currently seems to be limited to test environments, and the infected hosts are owned by researchers.
Resellers were able to get into the LightSpy control panel using an incorrect configuration, and study the functionality and infrastructure in detail, as well as identify infected devices.
Attackers use CVE-2018-4233 and CVE-2018-4404 in WebKit to trigger code execution in Safari, which targets macOS 10.13.3 and earlier.
Initially, a 64-bit MachO binary file disguised as a PNG image file (20004312341.png) is delivered to the device, which decrypts and executes embedded scripts, extracting the second stage.
The payload of the second stage loads an elevation of privilege exploit (ssudo), an encryption/decryption utility (ddss), and a ZIP archive (mac.zip) with two executable files (update and update. plist).
Eventually, the shell script decrypts and unpacks these files, gaining root access on the compromised device and establishing persistence on the system, configuring the "update" binary to execute on startup.
The next step is performed by the macircloader component, which downloads, decrypts, and runs LightSpy Core, acting as the central plugin management system for the spyware framework and responsible for communicating with C2.
The LightSpy kernel can also execute shell commands on the device, update its network configuration, and set an activity schedule to avoid detection.
The LightSpy platform implements a wide range of espionage functionality, primarily through various plugins, using 14 plugins for Android and 16 plugins for iOS and 10 for macOS.
Plug-ins allow LightSpy to perform complex exfiltration of data from infected macOS systems, and its modular design provides flexibility in operation.
In their report, ThreatFabric notes that having access to the attacker's dashboard, they were also able to confirm the existence of implants for Windows, Linux and routers, but so far they do not understand exactly how they are involved in attacks.
The new version of LightSpy for macOS confirms the broad scope of the tool, previously known only for Android and iOS devices.
The attackers behind the framework use it to attack targets in the Asia-Pacific region.
According to a new report from ThreatFabric, the macOS implant has been active in the wild since at least January 2024.
However, it currently seems to be limited to test environments, and the infected hosts are owned by researchers.
Resellers were able to get into the LightSpy control panel using an incorrect configuration, and study the functionality and infrastructure in detail, as well as identify infected devices.
Attackers use CVE-2018-4233 and CVE-2018-4404 in WebKit to trigger code execution in Safari, which targets macOS 10.13.3 and earlier.
Initially, a 64-bit MachO binary file disguised as a PNG image file (20004312341.png) is delivered to the device, which decrypts and executes embedded scripts, extracting the second stage.
The payload of the second stage loads an elevation of privilege exploit (ssudo), an encryption/decryption utility (ddss), and a ZIP archive (mac.zip) with two executable files (update and update. plist).
Eventually, the shell script decrypts and unpacks these files, gaining root access on the compromised device and establishing persistence on the system, configuring the "update" binary to execute on startup.
The next step is performed by the macircloader component, which downloads, decrypts, and runs LightSpy Core, acting as the central plugin management system for the spyware framework and responsible for communicating with C2.
The LightSpy kernel can also execute shell commands on the device, update its network configuration, and set an activity schedule to avoid detection.
The LightSpy platform implements a wide range of espionage functionality, primarily through various plugins, using 14 plugins for Android and 16 plugins for iOS and 10 for macOS.
Plug-ins allow LightSpy to perform complex exfiltration of data from infected macOS systems, and its modular design provides flexibility in operation.
In their report, ThreatFabric notes that having access to the attacker's dashboard, they were also able to confirm the existence of implants for Windows, Linux and routers, but so far they do not understand exactly how they are involved in attacks.
