Saturday, November 16, 2024
Homecyber securityLightSpy APT Attacking WeChat Users to Steal Payment Data

LightSpy APT Attacking WeChat Users to Steal Payment Data

Published on

LightSpy malware, responsible for a watering hole attack conducted against iOS users in Hong Kong, has been discovered to be embedded with Android implant Core and its 14 related plugins from 20 active servers for attacking mobile users.

LightSpy is a Mobile Advanced Persistent Threat (mAPT) that uses new and sophisticated techniques to attack mobile users. This malware has been confirmed to be attributed to the state-sponsored group APT41.

Recent reports indicate that the malware has been using WeChat payment systems to access payment data, monitor private communications, and for performing various malicious activities. 

- Advertisement - SIEM as a Service

LightSpy APT Attacking WeChat Users

According to the reports shared with Cyber Security News, LightSpy malware was a fully-featured modular surveillance toolset that was found to be using various plugins for private and payment data exfiltration. Additionally, the malware is strongly focused on the private information of the victim.

Its features include payment data exfiltration from WeChat Pay using its backend infrastructure and gaining audio-related functions from WeChat to record victims’ VOIP conversations.

However, this malware cannot run as a standalone application as it is also a plugin. Moreover, the malware’s core is responsible for performing all the functions required for the entire attack chain. 

The core functionalities include device fingerprint gathering, control server connection establishment, retrieving commands from the server and updating itself, and the additional payload files, otherwise called as plugins.

14 Plugins of LightSpy

Multiple plugins have been added to the malware which includes soft list, baseinfo, bill, cameramodule, chatfile, filemanager, locationmodule, locationBaidu, qq, shell, soundrecord, telegram, wechat, and wifi.

PLUGINVERSIONBRIEF DESCRIPTION
softlist3.3.3Exfiltrates the list of installed/running applications and active usernames using toolbox/toybox utility and superuser access
baseinfo2.3.4Exfiltrates contact list, call history, and SMS messages. Can send and delete SMS messages by the command
bill1.2.18Exfiltrates payment history from WeChat Pay
cameramodule2.6.1Takes camera shots. Can do one shot, continuous shot, or some event-related shot (for instance phone call)
chatfile1.3.4Exfiltrates data from different messengers’ folders
filemanager3.0.5File exfiltration plugin
locationmodule2.6.5Precision location tracking plugin
locationBaidu2.6.6Another location-tracking plugin using different frameworks and Android native APIs
qq5.1.71Tencent QQ messenger database parsing and exfiltration plugin
shell2.2.4Remote shell plugin
soundrecord2.7.4Sound recording plugin: environment, calls, VOIP calls audio exfiltration
telegram7.3.221Telegram messenger data exfiltration plugin
wechat6.7.271WeChat data exfiltration plugin
wifi2.3.3Wi-Fi network data exfiltration plugin

Source: ThreatFabric

One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking that can send a snapshot of the current location or can set up location tracking with specified time intervals. This plugin is based on two location-tracking frameworks: Tencent location SDK and Baidu location SDK.

Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start the microphone recording immediately or at specified intervals. Moreover, this plugin can also record incoming phone calls. 

Bill plugin is another important plugin that is responsible for gathering information about the payment history of the victim from WeChat Pay (Weixin Pay in China), which includes the last bill ID, bill type, transaction ID, date, and flag of the payment processed.

ANDROID PLUGIN SETIOS PLUGIN SET
baseinfobaseinfoaaa.dylib
filemanagerFileManage
qqios_qq
telegramios_telegram
wechatios_wechat
shellShellCommandaaa
softlistSoftInfoaaa
wifiWifiList
locationmodulelocationaaa.dylib
locationBaiduN/A
soundrecordEnvironmentalRecording
billlight
cameramoduleScreenaaa
chatfilelaunchctl
N/Airc_loader
N/Aircbin.plist
N/AKeyChain
N/Abrowser

Relationship between iOS and Android commands (Source: ThreatFabric)

A complete report about LightSpy has been published by ThreatFabric, which provides detailed information about the threat vector, source code, analysis, and other information. 

Indicators of Compromise

Control servers:

DOMAINS

spaceskd[.]com

IPs

103.27.108[.]207

46.17.43[.]74

File hashes:

Second stage payload (smalmload.jar)

SHA256

407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c

bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99

The Core

SHA256VERSION
68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce6445416.5.24
5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc006.5.24
bdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc6.5.25
9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd6.2.1
a01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd36.5.19
77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b6.2.0
d640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e6.2.1
3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f6.2.6
2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce45.2.1

The Plugins

Plugin nameSHA256
softlist7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112
baseinfocc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89
billc6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6
cameramodulebace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325
chatfile7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b
filemanagere5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546
locationmodulebf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04
locationBaidu177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1
qqf32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5
shelle1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be
soundrecordc0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e
telegram71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486
wechatbcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1
wifi446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...