Summary: In April 2024, BlackBerry reported significant advancements in the LightSpy malware campaign, attributed to APT41, which introduced a new modular surveillance framework named DeepData, enhancing its data theft capabilities. This evolution includes sophisticated plugins for extensive data collection and improved command-and-control infrastructure, targeting various communication platforms and sensitive information.
Threat Actor: APT41 | APT41
Victim: Various organizations | Various organizations
Key Point :
- DeepData framework includes 12 specialized plugins for comprehensive data theft.
- Enhanced capabilities for communication surveillance, credential theft, and system intelligence gathering.
- Strategic targeting of popular messaging platforms like WhatsApp, Telegram, and WeChat.
- Continuous evolution of command-and-control infrastructure with new SSL certificates.
- Focus on long-term intelligence gathering, particularly against political activists and journalists in Southeast Asia.
Summary
In April 2024, BlackBerry identified a significant evolution in the LightSpy malware campaign, demonstrating enhanced capabilities and advanced data theft mechanisms. The threat actor behind LightSpy, who we believe with a high level of confidence is associated with Chinese cyber-espionage group APT41, has now expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.
Threat Overview
- A new modular malware framework (DeepData v3.2.1228)
- 12 specialized plugins for comprehensive data theft
- Enhanced cross-platform surveillance capabilities
- Sophisticated command-and-control infrastructure
- Strategic targeting of communications platforms
Critical Capabilities
Our new finding demonstrates extended depth and breadth in data collection:
Communication Surveillance:
- Unauthorized infiltration of major messaging platforms (WhatsApp, Telegram, Signal, WeChat)
- Email monitoring (Outlook)
- Corporate communication tools (DingDing, Feishu)
Credential Theft:
- Browser credentials and history
- Application passwords
- Network authentication data
- Password manager targeting (KeePass)
System Intelligence:
- Detailed system information collection
- Network configuration harvesting
- installed software inventory
- Audio recording capabilities
What is LightSpy Spyware?
LightSpy is an advanced espionage tool that was discovered in early 2020. It is a sophisticated, modular, surveillance-oriented toolkit for stealing sensitive information from victims, focusing on the Asia-Pacific region.
Its modular structure utilizes multiple plugins to track the victim. Each plugin is responsible for a different functionality aspect, such as access to the microphone, browser, or geolocation. The plugins are also designed to extract information about the device and files stored on it, including data from private messaging apps such as Telegram and WeChat.
Who is APT41?
APT41 (also known as Double Dragon) is a high-profile and highly prolific cyber-espionage group with alleged ties to the Chinese Ministry of State Security (MSS). First seen in 2012 attacking developers working in the video-game industry, the group soon expanded its reach to target high-tech firms, including media. In more recent years, the group’s digital tendrils have extended from intelligence gathering into further areas of government interest, including healthcare, education, telecommunications, and technology.
Technical Analysis
During our ongoing investigation into LightSpy and the associated advanced Android surveillance spyware WyrmSpy (also attributed to APT41), BlackBerry’s cyber threat intelligence team discovered an interesting file — deepdata.zip — being hosted by APT41’s C2.
This file contained an additional four files, shown below in Figure 1:
Figure 1: Deepdata.zip contents.
Localupload.exe is a simple program that allows the user to upload a directory of files to a remote host.
Figure 2: localupload.exe usage.
Data.dll decrypts mod.dat and loads an espionage tool we have named DeepData, due to the file name given to it by the threat actor. DeepData has a similar layout to its related malware/spyware, LightSpy; a core module, frame.exe in this case, and many plugins.
Data.dll is has been observed looking for the following DLL files. Of these, 11 are listed as plugins by the C2 API:
- appdata.dll – plugin
- Audio.dll – plugin
- ChatIndexDB.dll – plugin
- ffmpeg.dll
- frame.dll
- iumdll.dll
- OutlookX32.dll – plugin
- Pass.dll – plugin
- ProductList.dll – plugin
- SocialSoft.dll – plugin
- SystemInfo.dll – plugin
- Tdm.dll – plugin
- Telegram.dll
- ucrtbase.enclave.dll
- WebBrowser.dll – plugin
- wifiList.dll – plugin
A handy readme.txt file included with DeepData demonstrates use of the stealer with manual execution, via the file rundll32.exe. The C2 address is also specified as a command line argument, as are the requested plugins to be run or data to extract. The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution.
As such, we currently believe that this tool is run by the actor post exploitation.
Detailed Technical Analysis:
DeepData Core
DeepData (conveniently for us) comes with a readme.txt:
Figure 3: Readme.txt for DeepData.
Many of the plugin program database (PDB) strings imply that this is version 2 of DeepData:
Figure 4: Plugin PDB strings.
Meanwhile, strings in frame.exe, decrypted from mod.dat, imply that the current version number is 3.2.1228.
Figure 5: DeepData version string showing current version number.
MD5 SHA256 |
b9129d83af902908fa7757e906ec0afe 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724 |
ITW File Name |
Data.dll |
Compilation Stamp |
2024-03-19 3:47:44 |
File Type/Signature |
PE32 DLL |
File Size |
186880 bytes |
PDB Path |
D:CodeOtherWorkDeepDataHbindata.pdb |
DeepData has support for a wide range of Windows versions. To deliver the correctly compiled plugin version, the following Windows versions are checked:
Figure 6: DeepData’s supported Windows versions.
MD5 SHA256 |
0f0fadd0546734c5c82f3c33d8268046 cf59cd171270ec9bc2baf618838eb57802cc9d48f64205da308406811dd4da92 |
ITW File Name |
Frame.exe |
Compilation Stamp |
2024-02-27 02:04:24 |
File Type/Signature |
PE32 executable (console) Intel 80386, for MS Windows |
File Size |
741280 bytes |
PDB Path |
D:tmpWorkdeepdata-v2deepdatabinframe.pdb |
Version |
3.2.1228 |
Plugins
Figure 7. DeepData plugins overview.
The plugin files all have a similar export functionality. All plugins contain exports for their version, name, command ID, and command execution.
Figure 8: DeepData plugin exports.
Appdata Plugin
MD5 SHA256 |
7efb1bc15ee6e3043f8eaefcf3f10864 ac7e20d4ddccc5e249ff0c1a72e394f9c1667a896995cf55b97b4f9fbf5de2fd |
ITW File Name |
appdata.dll |
Compilation Stamp |
2024-01-15 11:26:12 |
File Type/Signature |
PE32 DLL |
File Size |
16546816 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取appdataReleaseappdata.pdb |
(*The Chinese characters in the PDB Path shown above roughly translate as “secret.”)
The appdata plugin contains multiple binaries in its resource section which are used for collecting data from instant messaging clients. The plugin attempts to access applications such as:
- WxWorks – A real-time operating system (RTOS) used by developers, designed for use in embedded systems.
- FeiShu – An enterprise collaboration platform developed by ByteDance, a Chinese Internet technology company.
- Signal – an open-source, encrypted messaging service for instant messaging, voice calls, and video calls, based in the U.S..
- WhatsApp – An instant messaging and voice-over-IP (VoIP) service owned by U.S.-based technology conglomerate Meta.
This application technically copies the functionality of the ChatIndexedDb.dll plugin in many ways. The difference is that it tries to access more applications. Perhaps the threat actor, having extended the functionality of this plugin appdata.dll, decided to use it in an attempt to access more applications, since ChatIndexedDb.dll targets only two apps.
We are basing this hypothesis on the fact that ChatIndexedDb.dll was compiled in October 2023, when the appdata.dll was built in early January 2024.
The appdata.dll plugin contains two executable libraries: WhatsApp.dll, and Signal.dll. These libraries will be launched when the plugin is running. WhatsApp.dll is essentially a copy of the library included in ChatIndexedDb.dll.
MD5 SHA256 |
d66776ee123ef2947bc3175653a68d05 ccfd6ef35c718e2484b3727035d162b667f4b56df43324782d106f50ed1e3bcc |
ITW File Name |
WhatsApp.dll |
Compilation Stamp |
2024-01-06 07:52:25 |
File Type/Signature |
PE64 DLL |
File Size |
10225664 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取appdataReleaseWhatsapp.pdb |
MD5 SHA256 |
ea47fd87c1b109d5fd529c213aea6b30 37a1ffaba2e3ea9a7b2aa272b0587826cc0b5909497d3744ec8c114b504d2544 |
ITW File Name |
Signal.dll |
Compilation Stamp |
2024-01-04 2:49:18 |
File Type/Signature |
PE64 DLL |
File Size |
3003904 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取appdataReleasesignal.pdb |
Figure 9: Code that unloads data from different messengers.
Appdata also contains X509 certificates for Windows Phone.
Figure 10: X509 Certificates in appdata.dll.
SystemInfo Plugin
MD5 SHA256 |
8625c0cf0748d04d43db54884ee13672 213520170fc7113ac8f5e689f154f5c8074dd972584b56d820c19d84b7e5b477 |
ITW File Name |
SystemInfo.dll |
Compilation Stamp |
2023-10-26 11:37:28 |
File Type/Signature |
PE32 DLL |
File Size |
458240 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取SystemInfoReleaseSystemInfo.pdb |
This plugin (SystemInfo.dll) is designed to collect information on the user’s system. It can collect the following information about a user and then send it back to a server that is controlled by the threat actor:
- Information about the processes running on the system, including paths to the executable files running in the system.
- Data about user accounts in the system.
- Network connection information including active port numbers.
- Information about running services on the system.
- List of drivers installed on the system, including their version and developer name.
wifiList Plugin
MD5 SHA256 |
4b9aa7d571be1a6ec62931c4c6624328 460f1a00002e1c713a7753293b4737e65d27d0b65667b109d66afca873c23894 |
ITW File Name |
wifiList.dll |
Compilation Stamp |
2022-08-19 11:29:45 |
File type/Signature |
PE32 DLL |
File Size |
1240576 bytes |
PDB Path |
E:zyxdllDll1DebugwifiList.pdb |
This plugin (wifiList.dll) is designed to collect information about wireless networks to which the user’s device is connected, and save it in the file “WifiList.json.” It also collects the list of keys to connect to wireless networks to which the user’s device is connected, and saves them in the file “wifiKey.json.” The plugin also collects the list of available networks for the victim’s device.
After collecting all of this information, the plugin sends these two files to the threat actor’s server.
WebBrowser Plugin
MD5 SHA256 |
7529f56dde7a8302947982c43080bfcc b523cdd1669dbd7ab68b43fd20f30a790ec0351876a0610958b9405468753a10 |
ITW File Name |
WebBrowser.dll |
Compilation Stamp |
2023-11-16 09:03:55 |
File Type/Signature |
PE32 DLL |
File Size |
741280 bytes |
PDB Path |
D:tmpWorkdeepdata-v2deepdatabinx86WebBrowser.pdb |
This plugin (WebBrowser.dll) collects sensitive user information such as cookies, browsing history, passwords, and autocomplete data from popular browsers (Chrome, Firefox, Edge, Opera). It interacts with local browser databases, retrieving data via SQL queries and standard file paths, and processes it by applying cryptographic algorithms for decoding and hashing. At the same time, the plugin also contains error-handling modules to ensure stable operation.
Pass Plugin
MD5 SHA256 |
6ce2477efe7e853cea90764db5a64e6e 041c13a29d3bee8d2e4bd9d8bde8152b5ac8305c1efcc198244b224e33635282 |
ITW File Name |
Pass.dll |
Compilation Stamp |
2023-10-27 08:55:22 |
File type/ |
PE32 DLL |
File Size |
3589632 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取PassReleasePass.pdb |
This plugin (Pass.dll) attempts to collect account information as well as passwords from the following applications:
- BaiduNetDisk – A cloud storage service provided by Baidu, Inc., headquartered in Beijing.
- QQ – An instant messaging software service and web portal developed by the Chinese technology company Tencent.
- FoxMail – A freeware email client also developed by Tencent.
- MailMaster – An AI-powered email assistant.
- OneDrive – A file-hosting service operated by Microsoft.
This plugin also contains libraries of the “KeeFarce” project, which allows the unauthorized extraction of KeePass 2.x password database information from memory. The libraries are:
- KeeFarce.dll
- Bootstrap.dll
Using these libraries, the plugin attempts to extract passwords and other information from the KeePass application installed on the victim’s device. The plugin then sends all collected data to a remote server controlled by the threat actor.
OutlookX32 Plugin
MD5 SHA256 |
fb99f5da9c0c46c27e17dc2dc1e162d7 2bfb82a43bb77127965a4011a87de845242b1fb98fd09085885be219e0499073 |
ITW File Name |
OutlookX32.dll |
Compilation Stamp |
2024-02-27 02:04:24 |
File type/ |
PE32 executable |
File Size |
774656 bytes |
PDB Path |
G:xmh_miqu_keyxmh密outlookoutlook_2022.12.14OUTLOOKBinOutlookX32.pdb |
This plugin (OutlookX32.dll) is designed to steal information from Microsoft’s Outlook application. The plugin attempts to access the following information:
- User emails
- Mail folders in the Outlook client
- User’s contact list
ProductList Plugin
MD5 SHA256 |
48f8b7e0db439336549b93bda8633cd2 724351b5cc9ad496a6c9486b8ef34772f640590a90293f913f005e994717134b |
ITW File Name |
ProductList.dll |
Compilation Stamp |
2023-10-20 13:24:30 |
File Type/ |
PE32 DLL |
File Size |
2273280 bytes |
PDB Path |
E:zyxdllProductListDebugProductList.pdb |
This plugin is designed to collect information about installed applications on the system. It can collect the applications’ names and installation paths and transmit them to a server controlled by the threat actor.
SocialSoft Plugin
MD5 SHA256 |
4b9aa7d571be1a6ec62931c4c6624328 c3995f28476f7a775f4c1e8be47c64a300e0f16535dc5ed665ba796f05f19f73 |
ITW file name |
SocialSoft.dll |
Compilation stamp |
2023-10-13 11:35:41 |
File type/Signature |
PE32 DLL |
File size |
1240576 bytes |
PDB Path |
D:tmpWorkdeepdata-v2deepdatabinx86SocialSoft.pdb |
This plugin (SocialSoft.dll) is designed to allow unauthorized access to the following applications:
- WeChat – A Chinese instant messaging, social media, and mobile payment app developed by Tencent.
- DingDing – One of the largest mobile enterprise communication and collaboration apps in China, with over 100 million users.
- Telegram – A cloud-based, cross-platform, social media and instant messaging service.
- Feishu – An enterprise collaboration platform developed by ByteDance, a Chinese Internet technology company.
- QQ – An instant messaging software service and web portal developed by the Chinese technology company Tencent.
- Skype – An IP-based videotelephony, videoconferencing and voice call service developed by Microsoft.
The plugin attempts to access messages and data stored in application directories. If message theft succeeds, the plugin packages the messages and sends them to a server controlled by the threat actor.
Audio Plugin
MD5 SHA256 |
d521bf0f24c839e7ceb5db77de090fbc 55e2dbb906697dd1aff87ccf275efd06ee5e43bb21ea7865aef59513a858cf9f |
ITW File name |
Audio.dll |
Compilation Stamp |
2023-07-08 8:51:34 |
File type/ |
PE32 DLL |
File Size |
7405056 bytes |
PDB Path |
C:UsersGT1sourcereposAudio_miquReleaseAudio.pdb |
This plugin (Audio.dll) is designed to record the audio environment with a microphone on the target system device. At runtime, the plugin extracts another executable library (audio.core.dll) from its body that is packaged by the UPX packer.
Unpacked sample audio.core.dll:
MD5 SHA256 |
3b61d82be05f18754238e26b835da103 b79629e820cdd36d0daed964a2c0338e125a1f90f08e226f52dc60070747c62e |
ITW File Name |
audio.core.dll |
Compilation Stamp |
2023-07-08 7:43:13 |
File Type/ |
PE32 DLL |
File Size |
17922560 Bytes (17 MiB) |
PDB Path |
C:UsersGT1sourcereposAudio_miquReleaseaudio.core.pdb |
This plugin uses open-source libraries called FFmpeg 4.3.5 to record audio. The plugin records audio in Advanced audio Encoding (.aac) format and saves the recording to a %temp% folder. AAC is an audio coding standard for lossy digital audio compression. It achieves higher sound quality than MP3 at the same bit rate.
Along with the command to record audio, the plugin will receive the audio recording duration in seconds. After the recording is complete, the audio file will be transferred to a server controlled by the threat actor.
Figure 11: The code of the plugin that starts the sound recording.
ChatIndexedDb Plugin
MD5 SHA256 |
4b9aa7d571be1a6ec62931c4c6624328 88e5ca44189dabb4cec8a183f6268a42f3f92b2c6d7c722d7f55efd3dc5334c8 |
ITW File Name |
ChatIndexedDb.dll |
Compilation Stamp |
2023-10-26 10:23:30 |
File type/ |
PE32 DLL |
File Size |
9354240 bytes |
PDB Path |
G:xmh_miqu_keyxmh密取ChatIndexedDbReleaseChatIndexedDb.pdb |
This plugin is used by a threat actor to monitor the WhatsApp and Zalo apps installed on Windows. Zalo is a mobile messaging app that is most popular in Vietnam, with an 82% usage rate in 2024, and 77.6 million monthly active users. The plugin will attempt to copy all application data from these apps. It also monitors the data shared by the user in private chats with their other contacts.
It additionally contains the WhatsApp.dll library in its body, which is specially designed to steal data and messages from the WhatsApp application. If the data theft is successful, the plugin packs the data and sends it to a server controlled by the threat actor.
WhatsApp.dll Library
MD5 SHA256 |
847ec30a4ff2391f1eb7669c22940e51 735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0 |
ITW File Name |
WhatsApp.dll |
Compilation Stamp |
2023-10-23 03:14:00 |
File Type/ |
PE32 DLL |
File Size |
8998400 bytes |
PDB Path |
E:xmh密取appdataReleaseWhatsapp.pdb |
Figure 12: A plugin that uploads WhatsApp data.
Tdm Plugin
MD5 SHA256 |
bdd8926f4be6576653ac96ee732d587a efff4106cfd21a356b13a5a99c626a4f103f03b9491c0f1f5e135c1e3c84e76c |
ITW File Name |
Tdm.dll |
Compilation Stamp |
2023-12-05 6:58:05 |
File type/ |
PE64 DLL |
File Size |
214016 bytes |
PDB Path |
D:CodeprojectMiQuHMiQuHReleaseTdm.pdb |
This plugin downloads a library called Telegram.dll and injects it into the address space of the “Telegram for Windows” application. This plugin attempts to copy all the information in the user’s chats, including contacts, messages, images, audio, and video. If the copying is successful, the plugin sends the data to a server controlled by the threat actor.
MD5 SHA256 |
e79da1e448c60e12d835b47735f9da03 a560931baa404189257ec9cbcc2b9449c579018218cc1d70c99b1d36dd292a0e |
ITW File Name |
Telegram.dll |
Compilation Stamp |
2024-02-20 02:24:09 |
File Type/ |
PE64 DLL |
File Size |
7098336 bytes |
PDB Path |
D:CodeScompiletg471tdesktopoutReleaseTelegram.pdb |
Figure 13: The code that injects the Telegram.dll library into the Telegram for Widows process.
Network Infrastructure
The front-end application programming interface (API) of APT41’s LightSpy implant has an endpoint called cmd_list at the uri /ujmfanncy76211/front_api/cmd_list. This dumps a json blob containing all of the supported commands for a given C2 deployment.
Below is a list of all commands with Windows in the supported operating system (OS) values. It is noteworthy that “Windows Keylogger” is new as of the middle of October 2024.
Command ID |
Action |
10015 |
Upload Log |
10900 |
Get the basics |
11001 |
Get the basics |
12001 |
|
12002 |
WeChat contact |
12003 |
WeChat Groups |
12004 |
WeChat text message |
12005 |
WeChat File Message |
13001 |
Single Positioning |
14001 |
Default Browser History |
14101 |
Browser password |
14102 |
Browser History |
14103 |
If a browser cookie |
16001 |
Access to software |
16002 |
Get process |
16003 |
Software Account |
16006 |
Get process information |
17001 |
Wifi connected |
17002 |
Peripheral wifi |
19004 |
Screen Recording |
43001 |
Get the basics of windows |
43002 |
Windows keylogger |
25001 |
QQ Account |
25002 |
QQ Contact |
25003 |
QQ Group |
25004 |
QQ text message |
25005 |
QQ File Message |
26001 |
Telegram Account |
26002 |
Telegram Contacts |
26003 |
Telegram Group |
26004 |
Telegram Text Messages |
26005 |
Telegram File Message |
27001 |
Get a WhatsApp account |
27002 |
Get WhatsApp contacts |
27003 |
Get WhatsApp Groups |
27004 |
Get WhatsApp text messages |
27005 |
Get WhatsApp file information |
28001 |
Get a line account |
28002 |
Get line contacts |
28003 |
Get line group |
28004 |
Get line text information |
28005 |
Get line file information |
Researchers at Hunt.io published a great writeup on tracking LightSpy and WyrmSpy C2. Internet intelligence-based threat hunting platform Censys even implemented resource identifiers for both LightSpy and WyrmSpy.
A new SSL certificate is being used on some of the C2 servers: C=CN, ST=BJ, L=BJ, O=Company, emailAddress=admin[at]zb.com.
At the time of writing, four of the 10 systems online using this certificate are LightSpy C2s. Many of these C2s have a login page at the uri /qazxswedcvfr/login. Both LightSpy and WyrmSpy C2s have been seen hosting this certificate and login page. The favicon indicates use of the open-source Vue JavaScript framework, which is in line with previous web interfaces created for or by this developer.
Figure 14. Page to login to the C2 control panel.
DeepData is hosted on C2 utilizing this certificate on port 28992 for the plugin server, and port 28993 for command-and-control.
Figure 15: Network locations from deepdata’s config.json.
Another new SSL certificate is shared by a single WyrmSpy C2:
Subject: O=https Project, CN=httpsServer
Issuer: O=https Project Certificate Authority
This certificate is only utilized by three servers also hosted on the same ASN as many of the LightSpy and WyrmSpy C2s.
IP |
SSL Certificate |
45[.]155[.]220[.]79 |
LightSpy |
45[.]155[.]220[.]194 |
LightSpy |
45[.]125[.]34[.]126 |
LightSpy |
43[.]248[.]136[.]215 |
LightSpy |
43[.]248[.]136[.]110 |
LightSpy, admin[at]zb.com |
43[.]248[.]136[.]104 |
LightSpy |
38[.]55[.]97[.]178 |
LightSpy |
222[.]219[.]183[.]84 |
LightSpy |
203[.]83[.]9[.]62 |
admin[at]zb.com |
203[.]83[.]9[.]60 |
admin[at]zb.com |
203[.]83[.]10[.]112 |
https Project |
202[.]43[.]239[.]13 |
admin[at]zb.com |
154[.]91[.]196[.]185 |
LightSpy |
119[.]147[.]213[.]48 |
WyrmSpy, admin[at]zb.com, https Project |
118[.]195[.]234[.]243 |
LightSpy |
103[.]43[.]18[.]95 |
admin[at]zb.com |
103[.]43[.]18[.]22 |
admin[at]zb.com |
103[.]43[.]17[.]99 |
LightSpy |
103[.]27[.]109[.]28 |
LightSpy, admin[at]zb.com |
103[.]27[.]109[.]217 |
LightSpy, admin[at]zb.com |
103[.]27[.]108[.]122 |
admin[at]zb.com, https Project |
207[.]148[.]77[.]93 |
WyrmSpy |
SSL Certificate |
sha256 fingerprint |
LightSpy |
c0d4517e0727e94887d3b8a2c6c69938930995a8bcf37c9dafbd3a86b042417c |
WyrmSpy |
f0fc2c418e012e034a170964c0d68fee2c0efe424a90b0f4c4cd5e13d1e36824 |
admin[at]zb.com |
2cede95138f60dfaee4aa3538962ca2ab7dada376dd3977d56e0e6e208001a73 |
https Project |
4fd541e0c899260511c5c0ebd5ccaa134078d50d268a35af60e22422673c48ee |
Threat Actor Analysis: LightSpy Timeline Context
Pre-2022
- Initial development of LightSpy malware
- Early targeting and deployment phases
- Establishment of basic infrastructure
2022
August 19, 2022
- Compilation of wifiList.dll plugin
- Initial development of network reconnaissance capabilities
2023
July 2023
- July 8: Compilation of Audio.dll (7:43:13 UTC)
- July 8: Compilation of audio.core.dll with FFmpeg 4.3.5 integration (8:51:34 UTC)
October 2023
- October 13: Compilation of SocialSoft.dll (11:35:41 UTC)
- Introduction of social media monitoring capabilities
- Unauthorized infiltration of WeChat, DingDing, Telegram, Feishu, QQ, and Skype
- October 20: Compilation of ProductList.dll (13:24:30 UTC)
- Application enumeration functionality added
- October 23: Initial WhatsApp.dll compilation (03:14:00 UTC)
- October 26: Multiple component updates
- SystemInfo.dll compilation (11:37:28 UTC)
- ChatIndexedDb.dll compilation (10:23:30 UTC)
- Enhanced messaging platform surveillance capabilities
- October 27: Compilation of Pass.dll (08:55:22 UTC)
- Integration of password stealing capabilities
- Implementation of KeePass targeting functionality
November 2023
- November 16: Compilation of WebBrowser.dll (09:03:55 UTC)
- Browser credential theft capabilities added
December 2023
- December 5: Compilation of Tdm.dll (06:58:05 UTC)
- Telegram-specific monitoring capabilities introduced
2024
January 2024
- January 4: Compilation of Signal.dll (02:49:18 UTC)
- Signal messenger monitoring capability added
- January 6: Updated WhatsApp.dll compilation (07:52:25 UTC)
- January 15: Compilation of appdata.dll (11:26:12 UTC)
- Enhanced data collection capabilities
- Integration with multiple messaging platforms
February 2024
- February 27: Multiple significant updates
- Compilation of Frame.exe (02:04:24 UTC)
- Compilation of OutlookX32.dll (02:04:24 UTC)
- Implementation of email surveillance capabilities
March 2024
- March 19: Compilation of Data.dll (03:47:44 UTC)
- Core component of DeepData framework
April 2024
- Mid-October: Introduction of new “Windows Keylogger” functionality
- Identification of new SSL certificates in use
- Discovery of expanded C2 infrastructure
Infrastructure Evolution
Current Active C2 Infrastructure
- 22 identified C2 servers across multiple ASNs
- Implementation of new SSL certificates:
- Certificate with admin[at]zb.com
- Certificate from “https Project”
- Deployment of Vue Javascript-based control panel
- Implementation of specialized login pages at /qazxswedcvfr/login
Key Observations
Development Acceleration
- Intense development period from October 2023 to April 2024
- Significant expansion of capabilities and modules
- Regular updates and improvements to core components
Capability Evolution
- Progressive addition of new messaging platform support
- Enhanced data collection capabilities
- Improved stealth and persistence mechanisms
Infrastructure Development
- Continuous expansion of C2 infrastructure
- Implementation of new security certificates
- Enhanced operational security measures
Operational Sophistication
- Module-based development approach
- Regular updates to core components
- Strategic timing of capability rollouts
Conclusions
Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering. Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access.
The sophisticated modular architecture, comprehensive surveillance capabilities, and robust infrastructure detailed in this report suggest a well-resourced and technically proficient threat actor with strategic objectives.
Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures. The continued evolution of tools like DeepData indicates a persistent threat that will likely expand in both capability and scope as time goes on.
Victimology
Based on the victims that the threat actor hiding behind LightSpy has targeted in the past, and also based on the applications DeepData attempts to access, we believe that the intended targets are located in Southeast Asia, and, with a medium degree of probability, can be associated with political activists, politicians and journalists.
Countermeasures
BlackBerry customers are protected against the DeepData IoCs listed in this blog post by endpoint protection solutions such as CylanceENDPOINT™. CylanceENDPOINT leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.
Recommendations for Defenders
- Block identified command-and-control infrastructure.
- Monitor network and devices for unauthorized audio recording activities.
- Use secure communications platforms for business sensitive data.
- Deploy detection rules for DeepData components.
- Review logs for indicators of compromise (IoCs).
- Assess exposure of sensitive communication channels.
APPENDIX 1 – IoCs (Indicators of Compromise)
Name |
Data.dll |
Name Md5 Sha256 |
Data.dll b9129d83af902908fa7757e906ec0afe 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724 |
Name Md5 Sha256 |
Frame.exe 0f0fadd0546734c5c82f3c33d8268046 cf59cd171270ec9bc2baf618838eb57802cc9d48f64205da308406811dd4da92 |
Name Md5 Sha256 |
Tdm.dll bdd8926f4be6576653ac96ee732d587a efff4106cfd21a356b13a5a99c626a4f103f03b9491c0f1f5e135c1e3c84e76c |
Name Md5 Sha256 |
ChatIndexedDb.dll 4b9aa7d571be1a6ec62931c4c6624328 88e5ca44189dabb4cec8a183f6268a42f3f92b2c6d7c722d7f55efd3dc5334c8 |
Name Md5 Sha256 |
Audio.dll d521bf0f24c839e7ceb5db77de090fbc 55e2dbb906697dd1aff87ccf275efd06ee5e43bb21ea7865aef59513a858cf9f |
Name Md5 Sha256 |
SocialSoft.dll 4b9aa7d571be1a6ec62931c4c6624328 c3995f28476f7a775f4c1e8be47c64a300e0f16535dc5ed665ba796f05f19f73 |
Name Md5 Sha256 |
ProductList.dll 48f8b7e0db439336549b93bda8633cd2 724351b5cc9ad496a6c9486b8ef34772f640590a90293f913f005e994717134b |
Name Md5 Sha256 |
OutlookX32.dll fb99f5da9c0c46c27e17dc2dc1e162d7 2bfb82a43bb77127965a4011a87de845242b1fb98fd09085885be219e0499073 |
Name Md5 Sha256 |
Pass.dll 6ce2477efe7e853cea90764db5a64e6e 041c13a29d3bee8d2e4bd9d8bde8152b5ac8305c1efcc198244b224e33635282 |
Name Md5 Sha256 |
WebBrowser.dll 7529f56dde7a8302947982c43080bfcc b523cdd1669dbd7ab68b43fd20f30a790ec0351876a0610958b9405468753a10 |
Name Md5 Sha256 |
SystemInfo.dll 8625c0cf0748d04d43db54884ee13672 213520170fc7113ac8f5e689f154f5c8074dd972584b56d820c19d84b7e5b477 |
Name Md5 Sha256 |
appdata.dll 7efb1bc15ee6e3043f8eaefcf3f10864 ac7e20d4ddccc5e249ff0c1a72e394f9c1667a896995cf55b97b4f9fbf5de2fd |
Name Md5 Sha256 |
wifiList.dll 4b9aa7d571be1a6ec62931c4c6624328 460f1a00002e1c713a7753293b4737e65d27d0b65667b109d66afca873c23894 |
Name Md5 Sha256 |
WhatsApp.dll d66776ee123ef2947bc3175653a68d05 ccfd6ef35c718e2484b3727035d162b667f4b56df43324782d106f50ed1e3bcc |
Name Md5 Sha256 |
WhatsApp.dll 847ec30a4ff2391f1eb7669c22940e51 735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0 |
Name Md5 Sha256 |
Signal.dll ea47fd87c1b109d5fd529c213aea6b30 37a1ffaba2e3ea9a7b2aa272b0587826cc0b5909497d3744ec8c114b504d2544 |
Name Md5 Sha256 |
audio-core.dll 3b61d82be05f18754238e26b835da103 b79629e820cdd36d0daed964a2c0338e125a1f90f08e226f52dc60070747c62e |
Name Md5 Sha256 |
Telegram.dll e79da1e448c60e12d835b47735f9da03 a560931baa404189257ec9cbcc2b9449c579018218cc1d70c99b1d36dd292a0e |
PDB Path |
D:CodeOtherWorkDeepDataHbindata.pdb D:tmpWorkdeepdata-v2deepdatabinframe.pdb G:xmh_miqu_keyxmh密取appdataReleaseappdata.pdb G:xmh_miqu_keyxmh密取appdataReleaseWhatsapp.pdb G:xmh_miqu_keyxmh密取appdataReleasesignal.pdb G:xmh_miqu_keyxmh密取SystemInfoReleaseSystemInfo.pdb E:zyxdllDll1DebugwifiList.pdb D:tmpWorkdeepdata-v2deepdatabinx86WebBrowser.pdb G:xmh_miqu_keyxmh密取PassReleasePass.pdb G:xmh_miqu_keyxmh密outlookoutlook_2022.12.14OUTLOOKBinOutlookX32.pdb E:zyxdllProductListDebugProductList.pdb D:tmpWorkdeepdata-v2deepdatabinx86SocialSoft.pdb C:UsersGT1sourcereposAudio_miquReleaseAudio.pdb C:UsersGT1sourcereposAudio_miquReleaseaudio.core.pdb G:xmh_miqu_keyxmh密取ChatIndexedDbReleaseChatIndexedDb.pdb E:xmh密取appdataReleaseWhatsapp.pdb D:CodeprojectMiQuHMiQuHReleaseTdm.pdb D:CodeScompiletg471tdesktopoutReleaseTelegram.pdb |
Network Indicators |
119[.]147[.]213[.]48:28992/asdgdsfdsfasd/WebBrowser[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/localupload[.]exe 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Tdm[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/OutlookX32[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/WebBrowser[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Tdm[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/SocialSoft[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Audio[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/ProductList[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/frame[.]dll 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/data[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SystemInfo[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SocialSoft[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/appdata[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SocialSoft[.]dll 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/appdata[.]dll 103[.]255[.]176[.]176:28992/ asdgdsfdsfasd/Telegram[.]dll |
APPENDIX 2 – Applied Countermeasures
Yara Rules
rule DeepData_Spy_tool { meta: strings: condition: |
Suricata Rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Blackberry CTI – APT41 DeepData qweasdzxc api request”; flow:established,to_server; content:”qweasdzxc/api/”; http_uri; classtype:command-and-control; sid:1; rev:1; metadata:created_at 2024_11_11;) |
Django Debugging Dump From DeepData API Endpoint
qweasdzxc/api/ ^user/$ [name=’user-list’] qweasdzxc/api/ ^user/change_password/$ [name=’user-change-password’] qweasdzxc/api/ ^user/clear/$ [name=’user-clear’] qweasdzxc/api/ ^user/group_permission/$ [name=’user-group-permission’] qweasdzxc/api/ ^user/info/$ [name=’user-info’] qweasdzxc/api/ ^user/load_all/$ [name=’user-load-all’] qweasdzxc/api/ ^user/update_state/$ [name=’user-update-state’] qweasdzxc/api/ ^user/(?P<pk>[^/.]+)/$ [name=’user-detail’] qweasdzxc/api/ ^sys_log/$ [name=’syslog-list’] qweasdzxc/api/ ^sys_log/clear/$ [name=’syslog-clear’] qweasdzxc/api/ ^sys_log/load_all/$ [name=’syslog-load-all’] qweasdzxc/api/ ^sys_log/(?P<pk>[^/.]+)/$ [name=’syslog-detail’] qweasdzxc/api/ ^log/$ [name=’log-list’] qweasdzxc/api/ ^log/clear/$ [name=’log-clear’] qweasdzxc/api/ ^log/load_all/$ [name=’log-load-all’] qweasdzxc/api/ ^log/serial_del/$ [name=’log-serial-del’] qweasdzxc/api/ ^log/(?P<pk>[^/.]+)/$ [name=’log-detail’] qweasdzxc/api/ ^file/$ [name=’file-list’] qweasdzxc/api/ ^file/add_upsert_file/$ [name=’file-add-upsert-file’] qweasdzxc/api/ ^file/celery_start_file/$ [name=’file-celery-start-file’] qweasdzxc/api/ ^file/celery_status/$ [name=’file-celery-status’] qweasdzxc/api/ ^file/clear/$ [name=’file-clear’] qweasdzxc/api/ ^file/count/$ [name=’file-count’] qweasdzxc/api/ ^file/download/$ [name=’file-download’] qweasdzxc/api/ ^file/load_all/$ [name=’file-load-all’] qweasdzxc/api/ ^file/serial_del/$ [name=’file-serial-del’] qweasdzxc/api/ ^file/update_priority/$ [name=’file-update-priority’] qweasdzxc/api/ ^file/upload/$ [name=’file-upload’] qweasdzxc/api/ ^file/(?P<pk>[^/.]+)/$ [name=’file-detail’] qweasdzxc/api/ ^setting/$ [name=’settings-list’] qweasdzxc/api/ ^setting/clear/$ [name=’settings-clear’] qweasdzxc/api/ ^setting/clear_mem/$ [name=’settings-clear-mem’] qweasdzxc/api/ ^setting/clear_redis_key/$ [name=’settings-clear-redis-key’] qweasdzxc/api/ ^setting/info/$ [name=’settings-info’] qweasdzxc/api/ ^setting/load_all/$ [name=’settings-load-all’] qweasdzxc/api/ ^setting/(?P<pk>[^/.]+)/$ [name=’settings-detail’] qweasdzxc/api/ ^group/$ [name=’group-list’] qweasdzxc/api/ ^group/clear/$ [name=’group-clear’] qweasdzxc/api/ ^group/load_all/$ [name=’group-load-all’] qweasdzxc/api/ ^group/(?P<pk>[^/.]+)/$ [name=’group-detail’] qweasdzxc/api/ ^terminal/$ [name=’terminal-list’] qweasdzxc/api/ ^terminal/clear/$ [name=’terminal-clear’] qweasdzxc/api/ ^terminal/data_count/$ [name=’terminal-data-count’] qweasdzxc/api/ ^terminal/load_all/$ [name=’terminal-load-all’] qweasdzxc/api/ ^terminal/load_serial/$ [name=’terminal-load-serial’] qweasdzxc/api/ ^terminal/serial_del/$ [name=’terminal-serial-del’] qweasdzxc/api/ ^terminal/(?P<client>[^/.]+)/$ [name=’terminal-detail’] qweasdzxc/api/ ^client/$ [name=’client-list’] qweasdzxc/api/ ^client/clear/$ [name=’client-clear’] qweasdzxc/api/ ^client/load_all/$ [name=’client-load-all’] qweasdzxc/api/ ^client/(?P<pk>[^/.]+)/$ [name=’client-detail’] qweasdzxc/api/ ^browser/password/$ [name=’browserpassword-list’] qweasdzxc/api/ ^browser/password/count/$ [name=’browserpassword-count’] qweasdzxc/api/ ^browser/password/serial_del/$ [name=’browserpassword-serial-del’] qweasdzxc/api/ ^browser/password/sort/$ [name=’browserpassword-sort’] qweasdzxc/api/ ^browser/history/$ [name=’browserhistory-list’] qweasdzxc/api/ ^browser/history/count/$ [name=’browserhistory-count’] qweasdzxc/api/ ^browser/history/serial_del/$ [name=’browserhistory-serial-del’] qweasdzxc/api/ ^browser/history/sort/$ [name=’browserhistory-sort’] qweasdzxc/api/ ^browser/cookie/$ [name=’browsercookie-list’] qweasdzxc/api/ ^browser/cookie/count/$ [name=’browsercookie-count’] qweasdzxc/api/ ^browser/cookie/serial_del/$ [name=’browsercookie-serial-del’] qweasdzxc/api/ ^browser/cookie/sort/$ [name=’browsercookie-sort’] qweasdzxc/api/ ^browser/file/$ [name=’browserfile-list’] qweasdzxc/api/ ^browser/file/clear/$ [name=’browserfile-clear’] qweasdzxc/api/ ^browser/file/load_all/$ [name=’browserfile-load-all’] qweasdzxc/api/ ^browser/file/(?P<pk>[^/.]+)/$ [name=’browserfile-detail’] qweasdzxc/api/ ^chat/account/$ [name=’group-account’] qweasdzxc/api/ ^chat/cache/$ [name=’group-cache’] qweasdzxc/api/ ^chat/chat_contact/$ [name=’group-chat-contact’] qweasdzxc/api/ ^chat/chat_file/$ [name=’group-chat-file’] qweasdzxc/api/ ^chat/chat_group/$ [name=’group-chat-group’] qweasdzxc/api/ ^chat/chat_group_member/$ [name=’group-chat-group-member’] qweasdzxc/api/ ^chat/chat_message/$ [name=’group-chat-message’] qweasdzxc/api/ ^chat/chat_session/$ [name=’group-chat-session’] qweasdzxc/api/ ^chat/forward/$ [name=’group-forward’] qweasdzxc/api/ ^mail/account/$ [name=’client-account’] qweasdzxc/api/ ^mail/clear/$ [name=’client-clear’] qweasdzxc/api/ ^mail/contacts/$ [name=’client-contacts’] qweasdzxc/api/ ^mail/delete/$ [name=’client-delete’] qweasdzxc/api/ ^mail/download/$ [name=’client-download’] qweasdzxc/api/ ^mail/download_attachment/$ [name=’client-download-attachment’] qweasdzxc/api/ ^mail/download_contacts/$ [name=’client-download-contacts’] qweasdzxc/api/ ^mail/mail_content/$ [name=’client-mail-content’] qweasdzxc/api/ ^mail/mail_folder/$ [name=’client-mail-folder’] qweasdzxc/api/ ^mail/mail_list/$ [name=’client-mail-list’] qweasdzxc/api/ ^mail/unpack/$ [name=’client-unpack’] qweasdzxc/api/ ^wifi/list/$ [name=’wifilist-list’] qweasdzxc/api/ ^wifi/password/$ [name=’wifipassword-list’] qweasdzxc/api/ ^edition/$ [name=’edition-list’] qweasdzxc/api/ ^edition/clear/$ [name=’edition-clear’] qweasdzxc/api/ ^edition/load_all/$ [name=’edition-load-all’] qweasdzxc/api/ ^edition/(?P<pk>[^/.]+)/$ [name=’edition-detail’] qweasdzxc/api/ ^software/$ [name=’software-list’] qweasdzxc/api/ ^export/$ [name=’exportlist-list’] qweasdzxc/api/ ^export/clear/$ [name=’exportlist-clear’] qweasdzxc/api/ ^export/export_pause/$ [name=’exportlist-export-pause’] qweasdzxc/api/ ^export/load_all/$ [name=’exportlist-load-all’] qweasdzxc/api/ ^export/restart_export/$ [name=’exportlist-restart-export’] qweasdzxc/api/ ^export/serial_export/$ [name=’exportlist-serial-export’] qweasdzxc/api/ ^export/(?P<pk>[^/.]+)/$ [name=’exportlist-detail’] qweasdzxc/api/ ^directory/$ [name=’directory-list’] qweasdzxc/api/ ^port/$ [name=’port-list’] qweasdzxc/api/ ^sys_user/$ [name=’sysuser-list’] qweasdzxc/api/ ^service/$ [name=’service-list’] qweasdzxc/api/ ^target_log/$ [name=’targetlog-list’] qweasdzxc/api/ ^drive/$ [name=’drive-list’] qweasdzxc/api/ ^process/$ [name=’process-list’] qweasdzxc/api/ ^net_card/$ [name=’netcard-list’] qweasdzxc/api/ ^session/$ [name=’session-list’] qweasdzxc/api/ ^plugin/template/$ [name=’plugintemplate-list’] qweasdzxc/api/ ^plugin/template/clear/$ [name=’plugintemplate-clear’] qweasdzxc/api/ ^plugin/template/load_all/$ [name=’plugintemplate-load-all’] qweasdzxc/api/ ^plugin/template/(?P<pk>[^/.]+)/$ [name=’plugintemplate-detail’] qweasdzxc/api/ ^account/acc_list/$ [name=’client-acc-list’] qweasdzxc/api/ ^account/account_details/$ [name=’account-account-details’] qweasdzxc/api/ ^account/delete_account/$ [name=’account-delete-account’] qweasdzxc/api/ ^order/logistics_order/$ [name=’order-logistics-order’] qweasdzxc/api/ ^order/order_list/$ [name=’order-order-list’] qweasdzxc/api/ ^history/search_history/$ [name=’history-search-history’] qweasdzxc/api/ ^contact/contacts_tab/$ [name=’contact-contacts-tab’] qweasdzxc/api/ ^social_dynamics/dynamic_list/$ [name=’social_dynamics-dynamic-list’] qweasdzxc/api/ ^forums/forums_data/$ [name=’forums-forums-data’] qweasdzxc/api/ ^pan/source/file/$ [name=’pan-file’] qweasdzxc/api/ ^pan/source/unpack/$ [name=’pan-unpack’] qweasdzxc/api/ ^sms/info/$ [name=’sms-info’] qweasdzxc/api/ ^application/app_history/$ [name=’application-app-history’] qweasdzxc/api/ ^file/data/download/$ [name=’FileData-download’] qweasdzxc/api/ ^white/client/add_ip/$ [name=’WhiteClient-add-ip’] qweasdzxc/api/ ^white/client/del_ip/$ [name=’WhiteClient-del-ip’] qweasdzxc/api/ ^white/client/ips/$ [name=’WhiteClient-ips’] qweasdzxc/api/ ^white/client/reload/$ [name=’WhiteClient-reload’] qweasdzxc/api/ ^chat/chat_history/$ [name=’chat-chat-history’] qweasdzxc/api/ ^chat/session_list/$ [name=’chat-session-list’] qweasdzxc/api/login/ qweasdzxc/api/plugin/ qweasdzxc/api/command/ qweasdzxc/api/client_plugin_ship/ qweasdzxc/api/refresh/ [name=’token_refresh’] api/third/terminal/upsert/ api/third/terminal/finish/ api/third/file/mirror/ api/third/file/upload_info/ api/third/file/upload/ api/third/plugin/upload/ api/third/socialsoft/skype_cookie/ api/third/file/get_modify_date/ api/third/log/upload/ api/third/plugin/ api/third/hash/upload/ api/third/windows/service/list/ api/third/windows/user/list/ api/third/windows/port/list/ api/third/windows/process/list/ api/third/windows/driver/list/ api/third/windows/ipconfigall/list/ api/third/windows/accountInfo/upload/ api/third/windows/session/list/ api/third/websocket/send/ api/reset_state/ |
Related Reading