Recently, cybersecurity researchers have made public that the LightSpy spyware which was thought to be targeting Apple iOS users, has turned out to be an undocumented version for macOS systems.
These discoveries were made by both Huntress Labs and ThreatFabric, who independently examined the artifacts linked with this multi-platform malware framework that seems capable of infecting various operating systems such as Android, iOS, Windows, macOS, Linux, as well as routers from NETGEAR, Linksys, and ASUS.
“In order to deliver the macOS implants, the Threat actor group took advantage of two exploits that were publicly accessible (CVE-2018-4233, CVE-2018-4404),” mentioned ThreatFabric in a recent report. “A portion of the CVE-2018-4404 exploit probably originated from the Metasploit framework. These exploits were used to target macOS version 10.”
The first reports about LightSpy emerged in 2020. However, subsequent findings from Lookout and a Dutch mobile security firm hinted at potential ties between this spyware and an Android surveillance tool known as DragonEgg.
This April, BlackBerry announced a so-called “revived” cyber espionage initiative aimed at South Asian users to distribute an iOS version of LightSpy. Yet, the reality turned out to be an enhanced macOS variant employing a plug-in based framework for gathering diverse types of data.
“It’s also important to note that although this sample was recently uploaded to VirusTotal from India, this does not strongly indicate an ongoing campaign or specific targeting within that area,” stated Huntress researchers Stuart Ashenbrenner and Alden Schmidt.
“While it contributes to the assessment, without additional substantial evidence or insights into the delivery mechanisms, it’s best to treat this information with a considerable level of skepticism.”
ThreatFabric’s analysis has pinpointed that the macOS version of this spyware has been operational in the wild since at least January 2024, affecting just around 20 devices, most of which are reported to be test units.
The attack sequence kicks off by exploiting CVE-2018-4233, a vulnerability in Safari WebKit, through malicious HTML pages to trigger code execution, eventually leading to the distribution of a 64-bit MachO binary camouflaged as a PNG image.
The binary file is crafted to extract and execute a shell script that then downloads three additional payloads: an exploit for privilege escalation, an encryption/decryption tool, and a ZIP file.
The script proceeds by unpacking the ZIP archive contents – ‘update’ and ‘update.plist’, and granting root privileges to both. The ‘plist’ file is employed to establish persistence for the ‘update’ file, ensuring its execution after each system reboot.
The ‘update’ file (aka macircloader) functions as a loader for the core module of LightSpy, enabling communication with a command-and-control (C2) server to receive commands and fetch plugins.
The macOS variant features support for ten different plugins that can capture audio from the microphone, take snapshots, record screen activities, gather and erase files, execute shell commands, retrieve lists of installed apps and running processes, as well as extract data from web browsers (Safari and Google Chrome) and iCloud Keychain.
Additionally, two plugins facilitate the retrieval of details concerning all other devices connected to the same network as the victim, the history of Wi-Fi networks connected by the device, and information related to nearby Wi-Fi networks.
“The Core acts as a control hub for commands, with the additional plugins extending its capabilities,” identified ThreatFabric. “Both the Core and plugins are configurable and can be updated dynamically via C2 commands.”
The security company uncovered a misconfiguration enabling access to the C2 panel, including a remote control platform that houses details about victims and their data.
“Regardless of the targeted platform, the threat actor it poses a significant privacy and security risk to all affected users.”
A team dedicated to capturing victim communications, including messenger chats and audio recordings,” as per the company. “A specialized plugin was tailored for macOS to discover networks and detect devices near the target.”
The development is occurring as Android gadgets are being attacked with known banking trojans like BankBot and SpyNote in assaults targeting users of mobile banking applications in Uzbekistan and Brazil, by also impersonating a Mexican telecommunication service provider to infect users in Latin America and the Caribbean.
Additionally, a report by Access Now and the Citizen Lab has unveiled proof of Pegasus spyware attacks against seven opposition activists and independent media organizations who speak Russian or Belarusian in Latvia, Lithuania, and Poland.
“The exploitation of Pegasus spyware to target journalists and activists who speak Russian or Belarusian goes back to a minimum of 2020, with more incidents occurring after the full-scale invasion of Ukraine by Russia in February 2022,” Access Now mentioned, also stating that “one Pegasus spyware operator could be responsible for targeting three or possibly all five of the victims.”
About Author
