LightSpy | |
Type of Malware | Spyware |
Country of Origin | China |
Date of initial activity | 2020 |
Associated Groups | APT 41 (aka Wicked Panda) |
Targeted Countries | Southern Asia, Possibly India |
Motivation | Harvest sensitive information, including contacts, SMS messages, precise location data and sound recordings during VoIP calls. The latest version discovered further expands on its capabilities to steal files as well as data from popular apps like Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome. |
Attack vectors | Distributed via watering hole attacks through compromised news websites carrying stories related to Hong Kong |
Targeted systems | iOS |
Variants | F_Warehouse (April 2024) |
Overview
First identified in 2020, LightSpy stands out as a sophisticated iOS implant, linked to a watering-hole attack targeting Apple device users. Its advanced surveillance capabilities center on extracting sensitive data, including precise location information and even audio recordings from VOIP calls, posing severe threats to victims by enabling near-perfect tracking.
The implant’s functionality extends to extracting device details and files, encompassing data from popular messaging platforms like QQ, WeChat, and Telegram. Furthermore, it includes a plugin capable of accessing WeChat Pay’s transaction history, along with contacts, SMS, call logs, GPS coordinates, WiFi connections, and browsing histories from Safari and Chrome. With such extensive capabilities, LightSpy transforms a compromised phone into a powerful espionage tool.
Targets
Governmental bodies, pro-democratic Hong Kong activists, universities, computer hardware manufacturers, software developers, telecommunication service providers, social media platforms, and video game companies.
How they operate
Based on previous campaigns, initial infection likely occurs through compromised news websites carrying stories related to Hong Kong.
The attack involves a first-stage implant that gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.
The Loader initiates the process by loading both the encrypted and subsequently decrypted LightSpy kernel. The core of LightSpy functions as a complex espionage framework, designed to accommodate extensions via a plugin system. The Loader is responsible for loading these plugins, each of which extends the functionality of the main LightSpy implant. Each plugin undergoes a process of secure retrieval from the threat actor’s server in an encrypted format, followed by decryption, before being executed within the system environment.
The LightSpy core as a payload cannot run as a standalone application, as it is technically speaking also a plugin. At the same time, it turned out that the Core is responsible for the orchestration of all the functions that are crucial for the whole attack chain.
The main goals of the Core are:
Gathering device fingerprint
Establish a full connection with the control server
Retrieve commands from the server
Updates itself and additional payload files or as they were originally called plugins
Looking ahead we can say that the Core is even responsible for exporting the C2 communication function that will be used inside the code of LightSpy plugins which is the main story of this report. LightSpy’s command-and-control (C2) comprises several servers located in Mainland China, Hong Kong, Taiwan, Singapore, and Russia.
LightSpy Core is extremely flexible in terms of configuration: operators can precisely control the spyware using the updatable configuration. To store that configuration, commands, and plugin data the Core will create a SQLite database named “light2.db”.
The latest LightSpy campaign utilizes a versatile framework known as “F_Warehouse.”
This framework exhibits a wide range of capabilities, enabling it to:
Exfiltrate files: Systematically search and steal files from the compromised mobile device.
Record audio: Covertly capture audio through the device’s microphone.
Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
Track user activity: Harvest browsing history data to monitor online behavior.
Application inventory: Gather details about installed applications on the device.
Capture images: Secretly take pictures using the device’s camera.
Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
Device enumeration: Identify and list devices connected to the compromised system.
LightSpy Core communicates with its C2 in two ways:
WebSocket is used for command delivery and control.
For example, the list of URLs with plugins is delivered through the web sockets channel.
HTTPS channel is used for exfiltrating data.
For example, execution logs with exceptions and exfiltrated camera shots are uploaded through the HTTPS channel.
For both communication channels, the same host and port are used.
When all the communication with C2 has been established, LightSpy will send extensive fingerprint information about the infected device which includes full device specification, and cellular and Wi-Fi network information.
The LightSpy plugins
An interesting detail is that criminals used payload decryption inside the Core to process the payloads. The decryption process involves a one-byte XOR used with the key stored inside the encrypted payload. So having a payload there will create no issues during the decryption process.
Location module plugin
This plugin is responsible for location tracking. The operator can request the current location as a snapshot or can set up location tracking during specified time intervals. For the geofencing mode, it’s possible to configure the accuracy or power-saving mode to minimise battery consumption.
Sound recording plugin
This plugin enables the attacker to remotely capture and exfiltrate audio recordings from compromised devices, providing them with a powerful tool for eavesdropping on private conversations and the user’s immediate surroundings.
It’s capable of starting immediate microphone recording by a command using a specified duration (interval). The plugin can also start microphone recording in case of incoming phone calls.
The plugin is also capable of recording WeChat VOIP audio conversations.
The way that the functionality is performed is quite unique. Such a recording is also created using a native library which is called libwechatvoipCoMm.so.
Bill plugin
This plugin is responsible for crawling the payment history of the victim from WeChat Pay (Weixin Pay in China). Such a history will contain the last bill ID, bill type, transaction ID, date, and payment processed flag.
Using IPC communication with this web view, the plugin will authenticate itself inside WeChat Pay infrastructure.
The plugin has a configuration indicating which web view name to call from the WeChat application depending on the version of WeChat.
Same as with soundrecord plugin such communication could be possible using superuser privileges or while LightSpy was loaded into WeChat address space.
After successful authentication, the plugin will store CSRF tokens to be able to directly communicate with WeChat Pay infrastructure. Using that token the plugin will perform a HTTPS request asking for the last 20 transactions of the victim. As a result, the plugin will receive the transaction IDs, which the plugin will then use for the next requests to WeChat Pay system to finally get transaction details.
Browser History Tracking:
LightSpy exhibits comprehensive browser history tracking capabilities, targeting both Safari and Google Chrome.
The extracted data is structured as follows:
ID: Unique identifier for the history entry.
URL: The specific web addresses the user visits.
Title: The title of the visited web page.
Time: Timestamp indicating the time of the user’s last visit to the website.
This granular level of detail allows the attacker to gain a deep understanding of the victim’s online activities and interests.
LightSpy operators have exhibited a particular interest in exfiltrating data from popular messaging applications such as Telegram, QQ, and WeChat, likely aiming to intercept private communications and gather sensitive information shared within these platforms. Additionally, the malware searches for documents and media files stored on compromised devices, potentially seeking to acquire confidential documents, personal photos, and videos.
Shell Command Execution:
LightSpy’s capabilities extend beyond data exfiltration and surveillance. The malware can also download and run a plugin designed to execute shell commands received from the attacker’s malicious server. This functionality grants the threat actor the potential for full control over the victim’s device, enabling them to perform numerous actions beyond the core functions of the spyware.
Chinese Code Comments:
Further analysis of the plugin code reveals the presence of comments written in Chinese. This strongly suggests that the developers behind LightSpy are native Chinese speakers, raising concerns about the potential involvement of state-sponsored actors and the geopolitical motivations behind the campaign.
Upon entering incorrect login credentials into the LightSpy operator panel, a warning message is displayed in the Chinese language, further reinforcing the suspected origin and potential attribution of the malware’s developers.
MITRE Techniques Used
Initial Access
Drive-by Compromise
Privilege Escalation
Exploit OS Vulnerability
Persistence
App Auto-Start at Device Boot
Defense Evasion
Application Discovery
Download New Code at Runtime
Credential Access
Access Stored Application Data
Capture SMS Messages
Discovery
Application Discovery
File and Directory Discovery
Location Tracking
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
Collection
Access Call Log
Access Contact List
Access Stored Application Data
Capture SMS Messages
Data from the Local System
Location Tracking
Network Information Discovery
Command and Control
Alternate Network Mediums
Uncommonly Used Port
Exfiltration
Alternate Network Mediums
Remote Service Effects
Remotely Track Device Without Authorization
Significant Malware Campaigns
- Full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. (March 2020)
- LightSpy is capable of payment data exfiltration from the WeChat Pay backend infrastructure. (October 2023)
- LightSpy is a sophisticated iOS implant, first reported in 2020 in connection with a watering-hole attack against Apple device users. (April 2024)
