Security
Headlines
HeadlinesLatestCVEs

Headline

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ

The Hacker News
#web#ios#mac#apple#webkit#sap#wifi#The Hacker News

Spyware / Mobile Security

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.

“While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences,” ThreatFabric said in an analysis published this week.

LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device.

Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension “.PNG,” but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837.

This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy’s Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0).

“After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the [command-and-control] data and working directory,” the Dutch security company said.

“Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data.”

The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL.

The exact distribution vehicle for the spyware is unclear, although it’s believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date.

However, there is some evidence that the operators are likely based in China owing to the fact that the location plugin “recalculates location coordinates according to a system used exclusively in China.” It’s worth noting that Chinese map service providers follow a coordinate system called GCJ-02.

“The LightSpy iOS case highlights the importance of keeping systems up to date,” ThreatFabric said. “The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Hermit spyware is deployed with the help of a victim’s ISP

A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions. The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an

ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

By Deeba Ahmed According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute… This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

Google Warns Spyware Being Deployed Against Android, iOS Users

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.