LightSpy Spyware
Security analysts have revealed that the LightSpy spyware, initially thought to target Apple iOS users, is an undocumented macOS variant of the malware. These insights stem from cybersecurity specialists who examined the traces linked to this cross-platform threat. The malware framework likely has the potential to infect a wide range of systems, including Android, iOS, Windows, macOS, and Linux, as well as routers manufactured by NETGEAR, Linksys, and ASUS.
Table of Contents
Cybercriminals Exploit Vulnerabilities to Infect Devices with LightSpy
The threat actor group leveraged two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deploy implants on macOS, with part of CVE-2018-4404 potentially originating from the Metasploit framework. The exploits targeted macOS version 10.
Initially reported in 2020, LightSpy has since been linked to an Android surveillance tool named DragonEgg.
In April 2024, researchers disclosed a "renewed" cyber espionage campaign aimed at users in South Asia, initially believed to deliver an iOS version of LightSpy. However, it has been discovered to be a more sophisticated macOS variant utilizing a plugin-based system to collect various types of information.
Attack Chain of the LightSpy Campaign
Analysis indicates that the macOS variant has been operational in the wild since at least January 2024, targeting approximately 20 devices, most of which are believed to be test devices.
The attack sequence initiates with the exploitation of CVE-2018-4233, a Safari WebKit vulnerability, through threatening HTML pages, triggering code execution. This leads to the deployment of a 64-bit Mach-O binary disguised as a PNG image file.
The binary's main function is to extract and execute a shell script, which then retrieves three additional payloads: a privilege escalation exploit, an encryption/decryption tool, and a ZIP archive.
Following this, the script unpacks the ZIP archive, containing 'update' and 'update.plist' files, and assigns root privileges to both. The 'plist' file ensures persistence, ensuring the other file launches after each system restart.
Harmful Plugins Allow Cybercriminals to Capture Numerous Data
The 'update' file, also known as macircloader, serves as a loader for the LightSpy Core component. This component enables communication with a Command-and-Control (C2) server, allowing retrieval of commands and plugin downloads.
The macOS version supports 10 different plugins, enabling various functionalities such as audio capture from the microphone, taking photos, recording screen activity, file harvesting and deletion, executing shell commands, retrieving lists of installed applications and running processes, and extracting data from web browsers (Safari and Google Chrome) and iCloud Keychain.
Additionally, two other plugins facilitate gathering information about other devices belonging to the same network, listing Wi-Fi networks the device has attached to and providing details about nearby Wi-Fi networks.
Irrespective of the platform targeted, the threat actor group's primary aim was to intercept victim communications, including messenger conversations and voice recordings. A dedicated plugin for macOS was developed specifically for network discovery, with the goal of identifying devices near the victim's location.
