Cybersecurity researchers have discovered an improved version of Apple’s iOS spy software called LightSpy, which not only extends its functionality, but also contains destructive capabilities to prevent a jailbroken device from booting.
“While the way iOS implants are delivered is very similar to the macOS version, the post-exploitation and privilege escalation steps are significantly different due to platform differences,” ThreatFabric. said in an analysis published this week.
LightSpy, first documented in 2020 as targeting users in Hong Kong, is modular implant which uses a plugin-based architecture to increase its capabilities and allow it to capture a wide range of sensitive information from an infected device.
Malware-distributing attack chains use known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with a “.PNG” extension, but is actually a Mach-O binary responsible for receiving the next stage’s payloads from a remote server. by abusing the lack of memory tracked as CVE-2020-3837.
This includes a component called FrameworkLoader, which in turn loads the LightSpy Core module and its various plugins, the number of which has increased significantly from 12 to 28 in the latest version (7.9.0).
“Upon launch, Core will perform an Internet connection check using the Baidu.com domain, and then check the arguments that were passed from FrameworkLoader as (command and control) data and the working directory,” the Dutch security service. the company said.
“Using the working directory path /var/containers/Bundle/AppleAppLit/, Core will create subfolders for logs, database, and exfiltrated data.”
Plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, audio recordings, photos, browser history, contacts, call history and SMS messages, and collect information from apps such as Files , LINE, Mail Master, Telegram, Tencent QQ, WeChat and WhatsApp.
Some of the newly added plugins also have destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts and browser history, and even freeze the device and prevent it from restarting. In addition, LightSpy plugins can create fake push notifications that contain a specific URL.
The exact means by which the spyware was distributed is unclear, although it is believed to be organized through watering hole attacks. To date, these campaigns have not been attributed to a known threat actor or group.
However, there is some evidence that the operators are likely based in China due to the fact that the location plugin “lists location coordinates according to a system used exclusively in China”. It should be noted that Chinese mapping service providers adhere to a coordinate system called GCJ-02.
“The LightSpy iOS incident highlights the importance of keeping systems up to date,” ThreatFabric said. “The threat actors behind LightSpy closely monitor security researchers’ publications, reusing newly disclosed exploits to deliver payloads and elevate privileges on affected devices.”
