Banking security firm ThreatFabric has found evidence that LightSpy, an iPhone spyware discovered in 2020, is more sophisticated than previously reported and could be linked to the infamous Chinese-sponsored threat group APT41.
During the investigation, ThreatFabric researchers discovered new features in the LightSpy malware. The spyware was first used in a watering hole attack against iOS users in Hong Kong in January 2020.
These new features include 14 plugins responsible for private data exfiltration and a core implant that supports 24 commands, including the ability to gather device fingerprints, establish a full connection with the threat actor’s command-and-control (C2) server, and retrieve orders from the server.
What Is LightSpy Spyware?
Three of the 14 LightSpy plugins were of particular significance to the researchers. These are:
- Location module plugin, responsible for tracking users' current location via snapshots taken during specific time intervals.
- Sound record plugin which can start a microphone recording, even during incoming phone calls. Furthermore, the plugin can record WeChat VoIP audio conversations using a native library called libwechatvoipCoMm[dot]so.
- Bill plugin: This plugin is responsible for stealing the payment history of WeChat Pay, which includes the last bill ID, bill type, transaction ID, date, and payment processing flag.
These findings led the ThreatFabric researchers to conclude that LightSpy was linked to DragonEgg, an Android spyware implant discovered by Lookout in July 2023 and attributed to the Chinese cyber espionage group APT41.
This is the first time there has been a connection observed between LightSpy and APT41.
It was also discovered that LightSpy’s infrastructure contains dozens of servers in mainland China, Hong Kong, Taiwan, Singapore and Russia. The group’s primary targets are estimated to be located in the Asia-Pacific region.
No tags.
