ThreatFabric resellers continue to track APT LightSpy, this time detecting the macOS version of the spyware used by the group

[Tomcat]

The malware, also known as F_Warehouse, is a modular tracking platform for iOS and Android, allowing it to steal a wide range of data from mobile devices, including files, screenshots, geolocation, conversation recordings and WeChat payment information, as well as data from Telegram and QQ Messenger.

The new version of LightSpy for macOS confirms the broad scope of the tool, previously known only for Android and iOS devices.

The attackers behind the framework use it to attack targets in the Asia-Pacific region.

According to a new report from ThreatFabric, the macOS implant has been active in the wild since at least January 2024.

However, it currently seems to be limited to test environments, and the infected hosts are owned by researchers.

Resellers were able to get into the LightSpy control panel using an incorrect configuration, and study the functionality and infrastructure in detail, as well as identify infected devices.

Attackers use CVE-2018-4233 and CVE-2018-4404 in WebKit to trigger code execution in Safari, which targets macOS 10.13.3 and earlier.

Initially, a 64-bit MachO binary file disguised as a PNG image file (20004312341.png) is delivered to the device, which decrypts and executes embedded scripts, extracting the second stage.

The payload of the second stage loads an elevation of privilege exploit (ssudo), an encryption/decryption utility (ddss), and a ZIP archive (mac.zip) with two executable files (update and update. plist).

Eventually, the shell script decrypts and unpacks these files, gaining root access on the compromised device and establishing persistence on the system, configuring the "update" binary to execute on startup.

The next step is performed by the macircloader component, which downloads, decrypts, and runs LightSpy Core, acting as the central plugin management system for the spyware framework and responsible for communicating with C2.

The LightSpy kernel can also execute shell commands on the device, update its network configuration, and set an activity schedule to avoid detection.

The LightSpy platform implements a wide range of espionage functionality, primarily through various plugins, using 14 plugins for Android and 16 plugins for iOS and 10 for macOS.

Plug-ins allow LightSpy to perform complex exfiltration of data from infected macOS systems, and its modular design provides flexibility in operation.

In their report, ThreatFabric notes that having access to the attacker's dashboard, they were also able to confirm the existence of implants for Windows, Linux and routers, but so far they do not understand exactly how they are involved in attacks.

 

[Man]

ThreatFabric researchers continue to monitor the development of the LightSpy iOS malware, the new version of which now includes more than a dozen new plugins, many of which have extensive destructive capabilities.

LightSpy came into existence in 2020 after it was noticed targeting iPhones in Hong Kong. Attackers tried to compromise devices and steal data using malware.

At the time, attackers exploited iOS vulnerabilities to deliver spyware and collect a wide range of information from breached devices, including location, call history and browser data, messages, and passwords.

More recent research has led to the discovery of the Android and macOS versions of LightSpy.

Earlier this year, BlackBerry detected mobile spyware campaigns using LightSpy targeting users in South Asia, believing that India was likely the target.

Then BlackBerry found artifacts indicating the involvement of the LightSpy APT of Chinese origin.

In the new version of LightSpy for iOS, ThreatFabric detected, in addition to updates in the malware's core, an increase in plugins from 12 to 28, which it uses to perform various tasks.

The malware is now capable of attacking newer versions of iOS, up to iOS 13.3. The new LightSpy for iOS uses CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.

The exploit is likely delivered through malicious sites that exploit CVE-2020-9802, an RCE vulnerability in Safari. The exploit chain then implements the jailbreak stage, the bootloader stage, and the delivery of the malware core.

The threat actor continued to rely on publicly available exploits and jailbreak kits to gain access to devices and escalate privileges.

ThreatFabric believes that this threat actor is also deeply involved in the integration of jailbreak code into the spyware framework that supports its modular architecture.

The jailbreak used by hackers does not persist after the device is rebooted (iPhone owners are advised to reboot the device regularly), but it also does not guarantee that the device will not be re-infected.

The core of the malware can download up to 28 plugins that can be used to delete files, take photos, record sounds and create screenshots, as well as extract contacts, call history and browser, as well as SMS, mail and instant messenger messages.

ThreatFabric has also found several previously unknown plugins that have destructive capabilities.

LightSpy for iOS can now block device boots, erase browser history, slow down the device, delete media files, favorite SMS messages, contacts, and Wi-Fi network configuration profiles. Probably to hide the traces of attacks from the device.

In its report, ThreatFabric also confirms previous mentions that the malware operators are likely based in China.

Source