Cyber Security News

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices. The malware’s core binaries were even signed with the same certificate used in jailbreak kits, indicating deep integration.

The C2 servers, active until October 26, 2022, hosted outdated malware, possibly for demonstration purposes but not as MaaS.

The iOS and macOS versions, while sharing core functions, differed in post-exploitation and privilege escalation techniques due to platform variations.

attack chain

It exploited the CVE-2020-9802 vulnerability to gain access to the target device, which was fixed in iOS 13.5, but the threat actor bypassed CVE-2020-9870 and CVE-2020-9910, which were patched in iOS 13.6.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By deploying a Mach-O binary executable, the exploit took advantage of a vulnerability known as CVE-2020-3837, which ultimately led to a jailbreak.

The jailbroken device downloaded and executed the FrameworkLoader, which further downloaded and executed the LightSpy Core and plugins, while the Core established communication with the C2 server for further malicious activities.

GitHub jailbreak kit project

LightSpy iOS Implant is a multi-part archive containing a core library (LightSpy Core) and multiple plugins, which relies on jailbreak functionalities and communicates with the C2 server.

The network communication, database access, and archive extraction are all accomplished through the utilization of a variety of libraries.

After establishing a C2 connection, LightSpy Core parses configuration and distributes tasks to plugins, where the Core itself can play sounds and utilizes a network stack to communicate with plugins.

It offers various plugins for data exfiltration (contacts, messages, app data), location tracking, screen capturing, and even destructive actions like disabling boot up or deleting files.

signcert.p12 thumbprint

The threat actors utilized self-signed certificates to establish infrastructure on IP address 103.27.109.217.

Open-source intelligence revealed multiple servers sharing this certificate. By sending GET requests to specific IP addresses and ports, researchers identified servers connected to the iOS campaign.

Threat Fabric’s investigation uncovered five key IP addresses associated with the campaign, two of which hosted administration panels.

only 222.219.183[.]84 had a working panel

While analysis based on source code file paths within the downloaded binaries suggests at least three developers worked on the LightSpy iOS project: two focused on plugin development and a lead developer responsible for the Core and privilege escalation components.

Xcode automatically inserts user and organization names into header files, which helped identify these developers.

File path variations within the same user account suggest possible use of multiple machines by the same developer.

The LightSpy iOS case reveals a sophisticated threat actor leveraging zero-day and one-day exploits to compromise devices, particularly those hindered by regional restrictions.

The attackers employ destructive capabilities to erase traces and demonstrate their tool’s potential, while the discovery of a location plugin tied to a Chinese-specific system strongly suggests Chinese origins.

To mitigate risks, users are advised to keep devices updated, reboot regularly to disrupt persistent attacks, and exercise caution in regions with restricted software updates.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker forums…

15 hours ago

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could allow…

16 hours ago

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit PDF…

18 hours ago

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could…

18 hours ago

NetWalker Ransomware Operator Sentenced to 20 Years in Prison

A Romanian man has been sentenced to 20 years in prison for his involvement in…

19 hours ago

CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild

 The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…

19 hours ago