LightSpy [1] [2] [3] [5] [6] [7], a surveillance toolkit discovered in 2020, has recently been found to be more sophisticated than previously reported [5] [6]. It is linked to the Chinese-sponsored threat group APT41 [3] [5] [6], also known as Wicked Panda [7], which has a history of using surveillance malware compatible with both iOS and Android devices [7].
Description
LightSpy [1] [2] [3] [5] [6] [7], an iPhone spyware [5] [6], was first used in a watering hole attack against iOS users in Hong Kong as part of a campaign called Operation Poisoned News. It is connected to APT41, a threat group known for using surveillance malware. LightSpy is also linked to DragonEgg [6], an Android spyware implant attributed to APT41 [5] [6]. The spyware contains multiple plugins for data exfiltration and a core implant with various commands. The infrastructure of LightSpy includes servers in China [5] [6], Hong Kong [1] [2] [3] [4] [5] [6] [7], Taiwan [1] [2] [4] [5] [6], Singapore [1] [2] [5] [6] [7], and Russia [1] [2] [5] [6] [7], with primary targets in the Asia-Pacific region [5] [6] [7]. Another spyware [1] [5] [6], WyrmSpy [1] [5] [6] [7], shares the same infrastructure and may be a successor to LightSpy.
APT41 [1] [2] [3] [4] [5] [6] [7], formed in 2012 with alleged ties to the Chinese Ministry of State Security [5], conducts state-sponsored cyber espionage campaigns and financially motivated cybercrime heists [5]. They have recently focused on developing malware specific to mobile operating systems [7]. The C2 path [7], configuration pattern [1] [2] [7], and runtime structure of LightSpy, DragonEgg [1] [2] [5] [6] [7], and WyrmSpy are similar. The threat actors used a trojanized Telegram app to download a second-stage payload [1] [2], which then downloads a third component called Core [1] [2]. The implant has been actively maintained since December 2018 [1] [2], with the latest version released in July 2023 [1] [2]. The core module of LightSpy functions as an orchestrator plugin responsible for gathering device fingerprint [1] [2], establishing contact with a remote server [1] [2], awaiting instructions [1], and updating itself and the plugins [1] [2]. The spyware is highly configurable [1], with command delivery using WebSocket and data exfiltration using HTTPS [1]. Notable plugins include location tracking [1], audio capture [1], and payment history gathering [1]. LightSpy utilizes WeChat payment systems to steal payment data [3], eavesdrop on private communications [3], and carry out malicious activities [3].
Conclusion
APT41 [1] [2] [3] [4] [5] [6] [7], also known as WICKED PANDA/DOUBLE DRAGON/WICKED SPIDER/WINNTI GROUP [4], is a Chinese-sponsored threat group that has targeted various industries [4], including the gaming sector [4]. They have expanded their focus beyond gaming and have created front companies in the computer and technology sector [4]. APT41 operates during the day on behalf of the Chinese state and engages in hacking for financial gain in the evening [4]. They have targeted vaccine development and healthcare institutes, non-profit organizations [4], and high-profile Chinese targets [4]. Despite US indictments [4], APT41’s activities have continued [4], with recent targeting of universities in Taiwan and Hong Kong [4]. The group has used custom malware tools and compromised databases to exfiltrate personally identifiable data [4]. The implications of LightSpy and APT41’s activities highlight the need for increased cybersecurity measures and vigilance in protecting sensitive information.
References
[1] https://www.redpacketsecurity.com/researchers-link-dragonegg-android-spyware-to-lightspy-ios-surveillanceware/
[2] https://flyytech.com/2023/10/04/researchers-link-dragonegg-android-spyware-to-lightspy-ios-surveillanceware/
[3] https://securnerd.com/state-sponsored-lightspy-malware-targets-wechat-users-for-payment-data-theft/
[4] https://intrusiontruth.wordpress.com/2022/07/20/apt41/
[5] https://www.infosecurity-magazine.com/news/lightspy-iphone-spyware-linked/
[6] https://osintcorp.net/lightspy-iphone-spyware-linked-to-chinese-apt41-group/
[7] https://ciso2ciso.com/chinese-apt-actors-target-wechat-users-source-www-databreachtoday-com/
