New LightSpy Malware Version Targets iPhones with Enhanced Surveillance Tactics
Cybersecurity experts have detected an upgraded edition of an Apple iOS malware known as LightSpy which not only broadens its features but also integrates harmful functions to hinder the compromised device from starting.
“Though the iOS implant deployment method closely resembles that of the macOS variant, the post-exploit and privilege escalation stages vary significantly due to platform discrepancies,” ThreatFabric mentioned in an analysis released this week.
Initially identified in 2020 as targeting users in Hong Kong, LightSpy is a modular implant that utilizes a plugin-based structure to enhance its capabilities and enable it to gather a diverse range of confidential data from an infected device.
The attack sequences disseminating the malware exploit known vulnerabilities in Apple iOS and macOS to activate a WebKit exploit that deposits a file with the extension “.PNG,” which is actually a Mach-O binary responsible for fetching subsequent payloads from a remote server by exploiting a memory corruption flaw identified as CVE-2020-3837.
This involves a component named FrameworkLoader that, subsequently, downloads LightSpy’s Core module and its various plugins, which have increased significantly from 12 to 28 in the latest version (7.9.0).
“Once the Core initializes, it will conduct an internet connectivity assessment using the Baidu.com domain, followed by an evaluation of the arguments passed from FrameworkLoader as the [command-and-control] data and working directory,” the Dutch cybersecurity firm stated.
“By utilizing the working directory path /var/containers/Bundle/AppleAppLit/, the Core will generate subdirectories for logs, database, and extracted data.”
The plugins can acquire a broad spectrum of information, including details regarding Wi-Fi networks, screenshots, location data, iCloud Keychain, audio recordings, images, browsing history, contacts, call logs, and SMS messages, as well as harvest data from applications like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.
Some of the newly incorporated plugins also include damaging functionalities that can erase media files, SMS messages, Wi-Fi network profiles, contacts, and browsing history, and even lock the device rendering it inactive. Additionally, LightSpy plugins can fabricate fake push notifications with a specified URL.
The exact method of spreading the malware is uncertain, though it is speculated to be orchestrated through watering hole attacks. The campaigns have not been linked to any recognized threat actor or group so far.
However, there is evidence pointing towards the operators likely being situated in China as the location plugin “adjusts location coordinates according to a system exclusively used in China.” It’s essential to note that Chinese map services adhere to a coordinate system known as GCJ-02.
“The LightSpy iOS scenario emphasizes the significance of keeping systems updated,” ThreatFabric remarked. “The threat actors associated with LightSpy closely monitor reports from security researchers, utilizing freshly disclosed exploits for payload delivery and privilege escalation on impacted devices.”
About Author
