In a startling revelation, cybersecurity experts have uncovered a highly advanced mobile malware, known as LightSpy, deployed in a targeted attack against iOS users in Hong Kong. This sophisticated Advanced Persistent Threat (APT), attributed to the state-sponsored group APT41, has now been found embedded with Android implant Core and 14 related plugins across 20 active servers, all geared towards attacking mobile users.
Unlike conventional malware, LightSpy operates as a Mobile Advanced Persistent Threat (mAPT), employing innovative techniques to compromise mobile devices. Recent findings have exposed its insidious use of WeChat payment systems to pilfer payment data, eavesdrop on private communications, and execute various malicious activities.
Reports shared with cybersecurity experts reveal that LightSpy is a fully-featured modular surveillance toolset. It employs an array of plugins for private data exfiltration, with a strong focus on the victim’s private information. Among its capabilities, LightSpy exfiltrates payment data from WeChat Pay, utilizing backend infrastructure for this sinister purpose. Additionally, the malware gains audio-related functions from WeChat, enabling the recording of VOIP conversations.
Crucially, LightSpy cannot function as a standalone application; it operates as a plugin. The malware’s core is responsible for executing all functions essential for the entire attack chain. Core functionalities include device fingerprint gathering, establishing connections with control servers, retrieving commands, and updating itself, along with additional payload files, referred to as plugins.
Among the 14 plugins identified, the location module plugin stands out for its ability to track victims’ locations, either capturing snapshots or setting up tracking intervals. Another significant plugin, Soundrecord, records audio and can initiate microphone recording immediately or at specified intervals, including incoming phone calls.
Notably, the Bill plugin focuses on collecting information about the victim’s payment history from WeChat Pay, including details such as bill ID, transaction ID, date, and payment status.
The relationship between iOS and Android commands in LightSpy reveals a complex network of interconnected plugins, each designed to exploit specific vulnerabilities and harvest sensitive data.
A comprehensive report on LightSpy, published by ThreatFabric, provides detailed insights into the threat vector, source code, analysis, and other critical information.
Indicators of Compromise
- DOMAINS: spaceskd[.]com
- IPs: 103.27.108[.]207, 46.17.43[.]74
File hashes (Second stage payload – smalmload.jar)
- SHA256: 407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c
- SHA256: bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99
As cybersecurity experts continue to unravel the complexities of LightSpy, it underscores the evolving landscape of cyber threats. Vigilance and advanced security measures are paramount in safeguarding against such highly targeted and sophisticated attacks, ensuring the protection of user data and privacy.