cyware: Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

Summary: Cybersecurity researchers have discovered a renewed cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.

Threat Actor: LightSpy | LightSpy
Victim: Users in South Asia | South Asia

Key Point :

  • The LightSpy iOS spyware campaign, dubbed “F_Warehouse,” has a modular framework with extensive spying features.
  • The campaign may have targeted India based on VirusTotal submissions from within its borders.
  • LightSpy is distributed via watering hole attacks through compromised news sites.
  • The malware has infrastructure and functionality overlaps with an Android spyware known as DragonEgg, attributed to the Chinese nation-state group APT41.
  • The initial intrusion vector is suspected to be news websites that have been breached and are regularly visited by the targets.
  • LightSpy is fully-featured and modular, allowing threat actors to harvest sensitive information, including contacts, SMS messages, location data, and sound recordings during VoIP calls.
  • The latest version of LightSpy can also steal files and data from popular apps like Telegram, QQ, and WeChat, as well as iCloud Keychain data and web browser history.
  • The spyware can gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device’s camera, record audio, and execute shell commands received from the server.
  • LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server.
  • The involvement of native Chinese speakers in the implant’s source code suggests possible state-sponsored activity.
  • Apple has sent out threat notifications to users in 92 countries, including India, warning them of potential spyware attacks.
LightSpy iOS Spyware

Cybersecurity researchers have discovered a “renewed” cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.

“The latest iteration of LightSpy, dubbed ‘F_Warehouse,’ boasts a modular framework with extensive spying features,” the BlackBerry Threat Research and Intelligence Team said in a report published last week.

There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that’s distributed via watering hole attacks through compromised news sites.

Cybersecurity

A subsequent analysis from ThreatFabric in October 2023 uncovered infrastructure and functionality overlaps between the malware and an Android spyware known as DragonEgg, which is attributed to the Chinese nation-state group APT41 (aka Winnti).

The initial intrusion vector is presently not known, although it’s suspected to be via news websites that have been breached and are known to be visited by the targets on a regular basis.

The starting point is a first-stage loader that acts as a launchpad for the core LightSpy backdoor and its assorted plugins that are retrieved from a remote server to pull off the data-gathering functions.

LightSpy iOS Spyware

LightSpy is both fully-featured and modular, allowing threat actors to harvest sensitive information, including contacts, SMS messages, precise location data and sound recordings during VoIP calls.

The latest version discovered by the Canadian cybersecurity firm further expands on its capabilities to steal files as well as data from popular apps like Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome.

The complex espionage framework also features capabilities to gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device’s camera, record audio, and execute shell commands received from the server, likely enabling it to hijack control of the infected devices.

“LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server,” Blackberry said. “Thus, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established.”

Cybersecurity

A further examination of the implant’s source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. What’s more, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays an error message in Chinese when entering incorrect login credentials.

The development comes as Apple said it sent out threat notifications to users in 92 countries, counting India, that they may have been targeted by mercenary spyware attacks.

“The return of LightSpy, now equipped with the versatile ‘F_Warehouse’ framework, signals an escalation in mobile espionage threats,” BlackBerry said.

“The expanded capabilities of the malware, including extensive data exfiltration, audio surveillance, and potential full device control, pose a severe risk to targeted individuals and organizations in Southern Asia.”

Source: https://thehackernews.com/2024/04/chinese-linked-lightspy-ios-spyware.html


“An interesting youtube video that may be related to the article above”