Pierluigi Paganini
May 30, 2024
Researchers from ThreatFabric discovered a macOS version of the LightSpy spyware that has been active in the wild since at least January 2024.
ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.
The macOS version of LightSpy supports 10 plugins to exfiltrate private information from devices.
LightSpy is a modular spyware that has resurfaced after several months of inactivity, the new version supports a modular framework with extensive spying capabilities.
LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.
The researchers reported that starting from January 11, 2024, several URLs containing the number “96382741” were uploaded to VirusTotal. These URLs pointed to HTML and JavaScript files published on GitHub, which were related to the CVE-2018-4233 vulnerability. The flaw resides in WebKit and impacts macOS version 10.13.3 and iOS versions before 11.4. The researchers noticed that the number “96382741” was previously used as a path name for hosting LightSpy malware files for both Android and iOS.
“The starting point threat actor group used the same approach as for iOS implant distribution: triggering WebKit vulnerability inside Safari to perform unprivileged arbitrary code execution. For macOS, attackers used CVE-2018-4233 exploit, whose source code was published on the 18th of August 2018.” reads the analysis published by ThreatFabric. “Since the vulnerability affected both iOS and macOS WebKits, both iOS and macOS implants might have been delivered in the same way for some time. The difference was in lateral local privilege escalation, which is OS-specific.”
The plugins for the macOS version are different from those for other platforms, reflecting the architecture of the target systems. Notably, the desktop version has fewer exfiltration functions compared to the mobile version.
On March 21, 2024, the panel content first appeared on VirusTotal, displayed as a web page background. The next day, the panel URL was also found on VirusTotal, it was associated with Android LightSpy. Initial analysis revealed that the panel’s code had a critical mistake: it checked for authorization only after loading all scripts, briefly displaying the authenticated view to unauthorized users.
“However, in the top right corner of the window, there was a button labeled “Remote control platform,” pointing to another panel on the same control server. Due to catastrophic misconfiguration, we were able to access this panel, and anyone could do the same by accessing the top-level panel.” continues the report. “This panel contained comprehensive information about victims, fully correlating with all the exfiltration data provided in the technical analysis section of this report.”
“It became evident that regardless of the targeted platform, the threat actor group focused on intercepting victim communications, such as messenger conversations and voice recordings. For macOS, a specialised plugin was designed for network discovery, aiming to identify devices in proximity to the victim.” concludes the report. “Despite our findings, some aspects of the LightSpy puzzle remain elusive. There is no evidence confirming the existence of implants for Linux and routers, nor is there information on how they might be delivered. However, their potential functionality is known based on panel analysis.”
The researchers also provided indicators of compromise (IoC), for this version of the spyware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
