China-linked LightSpy iOS spyware targets South Asian iPhone users

ReportApril 15, 2024Editorial DepartmentSpyware/Mobile Security

Cybersecurity researchers have uncovered a “new wave” of cyber espionage targeting South Asian users with the goal of spreading a spyware implant called Apple iOS light spy.

“The latest version of LightSpy, dubbed ‘F_Warehouse,’ features a modular framework with extensive spying capabilities,” BlackBerry’s Threat Research and Intelligence team said in a report published last week.

There is evidence that this campaign may be targeting India, based on information submitted by VirusTotal within the country.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor distributed via watering hole attacks on compromised news websites.

Subsequent analysis by ThreatFabric in October 2023 found infrastructure and functional overlap between this malware and an Android spyware called DragonEgg attributed to the Chinese nation-state group APT41, also known as Winnti.

The initial compromise vector is unknown, but it is suspected to have been via a compromised news website that was regularly visited by known targets.

The starting point is a first-stage loader that serves as a launchpad for the core LightSpy backdoor and its various plug-ins, which are retrieved from remote servers to enable data collection capabilities.

Full-featured and modular, LightSpy allows threat actors to collect sensitive information, including contacts, text messages, precise location data and recordings during VoIP calls.

The latest version discovered by the Canadian cybersecurity firm further expands its file-stealing capabilities, as well as stealing files and data from popular apps like Telegram, QQ and WeChat, iCloud Keychain data, and the Internet from Safari and Google Chrome. The ability to track browser history.

This sophisticated spying framework also has the ability to collect a list of connected Wi-Fi networks, details of installed applications, take pictures using the device’s camera, record audio, and execute shell commands received from the server, which may allow It is capable of hijacking control of a device.

“LightSpy uses certificate pinning to prevent detection and interception of communications with its command and control (C2) servers,” BlackBerry said. “As a result, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established. “

Further examination of the implant’s source code revealed that native Chinese speakers were involved, raising the possibility of state-sponsored activity.More importantly, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays a Chinese error message when incorrect login credentials are entered.

Apple said it has sent threat notifications to users in 92 countries, including India, saying they may have been targeted by hired spyware.

“The return of LightSpy, now equipped with the versatile ‘F_Warehouse’ framework, marks an escalation in the mobile espionage threat,” BlackBerry said.

“The malware’s expanded capabilities, including widespread data exfiltration, audio surveillance and potential full device control, pose a serious risk to targeted individuals and organizations in South Asia.”