Saturday, December 7, 2024
Homecyber securityLightSpy iOS Malware Enhanced with 28 New Destructive Plugins

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

Published on

SIEM as a Service

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices. The malware’s core binaries were even signed with the same certificate used in jailbreak kits, indicating deep integration.

The C2 servers, active until October 26, 2022, hosted outdated malware, possibly for demonstration purposes but not as MaaS.

The iOS and macOS versions, while sharing core functions, differed in post-exploitation and privilege escalation techniques due to platform variations.

- Advertisement - SIEM as a Service
attack chain

It exploited the CVE-2020-9802 vulnerability to gain access to the target device, which was fixed in iOS 13.5, but the threat actor bypassed CVE-2020-9870 and CVE-2020-9910, which were patched in iOS 13.6.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By deploying a Mach-O binary executable, the exploit took advantage of a vulnerability known as CVE-2020-3837, which ultimately led to a jailbreak.

The jailbroken device downloaded and executed the FrameworkLoader, which further downloaded and executed the LightSpy Core and plugins, while the Core established communication with the C2 server for further malicious activities.

GitHub jailbreak kit project

LightSpy iOS Implant is a multi-part archive containing a core library (LightSpy Core) and multiple plugins, which relies on jailbreak functionalities and communicates with the C2 server.

The network communication, database access, and archive extraction are all accomplished through the utilization of a variety of libraries.

After establishing a C2 connection, LightSpy Core parses configuration and distributes tasks to plugins, where the Core itself can play sounds and utilizes a network stack to communicate with plugins.

It offers various plugins for data exfiltration (contacts, messages, app data), location tracking, screen capturing, and even destructive actions like disabling boot up or deleting files.

signcert.p12 thumbprint

The threat actors utilized self-signed certificates to establish infrastructure on IP address 103.27.109.217.

Open-source intelligence revealed multiple servers sharing this certificate. By sending GET requests to specific IP addresses and ports, researchers identified servers connected to the iOS campaign.

Threat Fabric’s investigation uncovered five key IP addresses associated with the campaign, two of which hosted administration panels.

only 222.219.183[.]84 had a working panel

While analysis based on source code file paths within the downloaded binaries suggests at least three developers worked on the LightSpy iOS project: two focused on plugin development and a lead developer responsible for the Core and privilege escalation components.

Xcode automatically inserts user and organization names into header files, which helped identify these developers.

File path variations within the same user account suggest possible use of multiple machines by the same developer.

The LightSpy iOS case reveals a sophisticated threat actor leveraging zero-day and one-day exploits to compromise devices, particularly those hindered by regional restrictions.

The attackers employ destructive capabilities to erase traces and demonstrate their tool’s potential, while the discovery of a location plugin tied to a Chinese-specific system strongly suggests Chinese origins.

To mitigate risks, users are advised to keep devices updated, reboot regularly to disrupt persistent attacks, and exercise caution in regions with restricted software updates.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...