Wednesday, April 24, 2024

LightSpy APT Attacking WeChat Users to Steal Payment Data

LightSpy malware, responsible for a watering hole attack conducted against iOS users in Hong Kong, has been discovered to be embedded with Android implant Core and its 14 related plugins from 20 active servers for attacking mobile users.

LightSpy is a Mobile Advanced Persistent Threat (mAPT) that uses new and sophisticated techniques to attack mobile users. This malware has been confirmed to be attributed to the state-sponsored group APT41.

Recent reports indicate that the malware has been using WeChat payment systems to access payment data, monitor private communications, and for performing various malicious activities. 

LightSpy APT Attacking WeChat Users

According to the reports shared with Cyber Security News, LightSpy malware was a fully-featured modular surveillance toolset that was found to be using various plugins for private and payment data exfiltration. Additionally, the malware is strongly focused on the private information of the victim.

Its features include payment data exfiltration from WeChat Pay using its backend infrastructure and gaining audio-related functions from WeChat to record victims’ VOIP conversations.

However, this malware cannot run as a standalone application as it is also a plugin. Moreover, the malware’s core is responsible for performing all the functions required for the entire attack chain. 

The core functionalities include device fingerprint gathering, control server connection establishment, retrieving commands from the server and updating itself, and the additional payload files, otherwise called as plugins.

14 Plugins of LightSpy

Multiple plugins have been added to the malware which includes soft list, baseinfo, bill, cameramodule, chatfile, filemanager, locationmodule, locationBaidu, qq, shell, soundrecord, telegram, wechat, and wifi.

PLUGINVERSIONBRIEF DESCRIPTION
softlist3.3.3Exfiltrates the list of installed/running applications and active usernames using toolbox/toybox utility and superuser access
baseinfo2.3.4Exfiltrates contact list, call history, and SMS messages. Can send and delete SMS messages by the command
bill1.2.18Exfiltrates payment history from WeChat Pay
cameramodule2.6.1Takes camera shots. Can do one shot, continuous shot, or some event-related shot (for instance phone call)
chatfile1.3.4Exfiltrates data from different messengers’ folders
filemanager3.0.5File exfiltration plugin
locationmodule2.6.5Precision location tracking plugin
locationBaidu2.6.6Another location-tracking plugin using different frameworks and Android native APIs
qq5.1.71Tencent QQ messenger database parsing and exfiltration plugin
shell2.2.4Remote shell plugin
soundrecord2.7.4Sound recording plugin: environment, calls, VOIP calls audio exfiltration
telegram7.3.221Telegram messenger data exfiltration plugin
wechat6.7.271WeChat data exfiltration plugin
wifi2.3.3Wi-Fi network data exfiltration plugin

Source: ThreatFabric

One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking that can send a snapshot of the current location or can set up location tracking with specified time intervals. This plugin is based on two location-tracking frameworks: Tencent location SDK and Baidu location SDK.

Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start the microphone recording immediately or at specified intervals. Moreover, this plugin can also record incoming phone calls. 

Bill plugin is another important plugin that is responsible for gathering information about the payment history of the victim from WeChat Pay (Weixin Pay in China), which includes the last bill ID, bill type, transaction ID, date, and flag of the payment processed.

ANDROID PLUGIN SETIOS PLUGIN SET
baseinfobaseinfoaaa.dylib
filemanagerFileManage
qqios_qq
telegramios_telegram
wechatios_wechat
shellShellCommandaaa
softlistSoftInfoaaa
wifiWifiList
locationmodulelocationaaa.dylib
locationBaiduN/A
soundrecordEnvironmentalRecording
billlight
cameramoduleScreenaaa
chatfilelaunchctl
N/Airc_loader
N/Aircbin.plist
N/AKeyChain
N/Abrowser

Relationship between iOS and Android commands (Source: ThreatFabric)

A complete report about LightSpy has been published by ThreatFabric, which provides detailed information about the threat vector, source code, analysis, and other information. 

Indicators of Compromise

Control servers:

DOMAINS

spaceskd[.]com

IPs

103.27.108[.]207

46.17.43[.]74

File hashes:

Second stage payload (smalmload.jar)

SHA256

407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c

bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99

The Core

SHA256VERSION
68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce6445416.5.24
5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc006.5.24
bdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc6.5.25
9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd6.2.1
a01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd36.5.19
77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b6.2.0
d640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e6.2.1
3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f6.2.6
2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce45.2.1

The Plugins

Plugin nameSHA256
softlist7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112
baseinfocc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89
billc6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6
cameramodulebace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325
chatfile7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b
filemanagere5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546
locationmodulebf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04
locationBaidu177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1
qqf32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5
shelle1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be
soundrecordc0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e
telegram71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486
wechatbcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1
wifi446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Website

Latest articles

Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools

AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create...

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code...

CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File

This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany,...

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles