New macOS Version of LightSpy Spyware Targets High-Value Data
Discovery of macOS LightSpy Surveillance Framework
Researchers from ThreatFabric have uncovered a macOS variant of the LightSpy surveillance framework, a tool previously known for targeting Android and iOS devices. This discovery highlights the framework’s extensive reach and sophisticated capabilities for data theft across multiple platforms.
LightSpy on macOS infection chain
Source: ThreatFabric
LightSpy’s Capabilities and Functionality
LightSpy is designed to steal a wide variety of data from infected devices. It can capture files, screenshots, location data (including building floor numbers), voice recordings during WeChat calls, payment information from WeChat Pay, and data from Telegram and QQ Messenger. The malware’s macOS version uses ten plugins to perform these actions:
- soundrecord: Captures microphone audio.
- browser: Extracts browsing data from web browsers.
- cameramodule: Takes photos using the device’s camera.
- FileManage: Manages and exfiltrates files, especially from messaging apps.
- keychain: Retrieves sensitive information from the macOS Keychain.
- LanDevices: Gathers information about devices on the same local network.
- softlist: Lists installed applications and running processes.
- ScreenRecorder: Records screen activity.
- ShellCommand: Executes shell commands.
- wifi: Collects data on connected Wi-Fi networks.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Targeted Exploits and Infection Method
The macOS LightSpy variant exploits WebKit vulnerabilities CVE-2018-4233 and CVE-2018-4404 to gain code execution through Safari, targeting macOS 10.13.3 and earlier versions. Initially, a 64-bit MachO binary disguised as a PNG image file is delivered to the device. This binary decrypts and executes scripts to fetch a second-stage payload, which includes a privilege escalation exploit and additional tools.
Establishing Persistence and Data Exfiltration
Once on the device, LightSpy uses a series of scripts and executables to gain root access and establish persistence. The malware’s core component, “macircloader,” manages communications with the command and control (C2) server and coordinates the operation of various plugins. These plugins enable comprehensive data exfiltration from infected macOS systems.
Trending: OSINT Tool: SiteDorks
Research Insights and Broader Implications
The researchers from ThreatFabric infiltrated LightSpy’s control panel, providing insights into its functionality, infrastructure, and infected devices. Although the operation currently seems limited to testing environments and a few cybersecurity researchers’ machines, the potential for broader deployment exists.
The report also mentions the existence of LightSpy implants for Windows, Linux, and routers, although the exact methods of delivery and usage in attacks remain unclear.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
