LightSpy APT Attacking WeChat Users to Steal Payment Data


LightSpy malware, responsible for a watering hole attack conducted against iOS users in Hong Kong, has been discovered to be embedded with Android implant Core and its 14 related plugins from 20 active servers for attacking mobile users.

LightSpy is a Mobile Advanced Persistent Threat (mAPT) that uses new and sophisticated techniques to attack mobile users. This malware has been confirmed to be attributed to the state-sponsored group APT41.

Recent reports indicate that the malware has been using WeChat payment systems to access payment data, monitor private communications, and for performing various malicious activities. 

LightSpy APT Attacking WeChat Users

According to the reports shared with Cyber Security News, LightSpy malware was a fully-featured modular surveillance toolset that was found to be using various plugins for private and payment data exfiltration. Additionally, the malware is strongly focused on the private information of the victim.

Its features include payment data exfiltration from WeChat Pay using its backend infrastructure and gaining audio-related functions from WeChat to record victims’ VOIP conversations.

However, this malware cannot run as a standalone application as it is also a plugin. Moreover, the malware’s core is responsible for performing all the functions required for the entire attack chain. 

The core functionalities include device fingerprint gathering, control server connection establishment, retrieving commands from the server and updating itself, and the additional payload files, otherwise called as plugins.

14 Plugins of LightSpy

Multiple plugins have been added to the malware which includes soft list, baseinfo, bill, cameramodule, chatfile, filemanager, locationmodule, locationBaidu, qq, shell, soundrecord, telegram, wechat, and wifi.

PLUGIN VERSION BRIEF DESCRIPTION
softlist 3.3.3 Exfiltrates the list of installed/running applications and active usernames using toolbox/toybox utility and superuser access
baseinfo 2.3.4 Exfiltrates contact list, call history, and SMS messages. Can send and delete SMS messages by the command
bill 1.2.18 Exfiltrates payment history from WeChat Pay
cameramodule 2.6.1 Takes camera shots. Can do one shot, continuous shot, or some event-related shot (for instance phone call)
chatfile 1.3.4 Exfiltrates data from different messengers’ folders
filemanager 3.0.5 File exfiltration plugin
locationmodule 2.6.5 Precision location tracking plugin
locationBaidu 2.6.6 Another location-tracking plugin using different frameworks and Android native APIs
qq 5.1.71 Tencent QQ messenger database parsing and exfiltration plugin
shell 2.2.4 Remote shell plugin
soundrecord 2.7.4 Sound recording plugin: environment, calls, VOIP calls audio exfiltration
telegram 7.3.221 Telegram messenger data exfiltration plugin
wechat 6.7.271 WeChat data exfiltration plugin
wifi 2.3.3 Wi-Fi network data exfiltration plugin

Source: ThreatFabric

One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking that can send a snapshot of the current location or can set up location tracking with specified time intervals. This plugin is based on two location-tracking frameworks: Tencent location SDK and Baidu location SDK.

Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start the microphone recording immediately or at specified intervals. Moreover, this plugin can also record incoming phone calls. 

Bill plugin is another important plugin that is responsible for gathering information about the payment history of the victim from WeChat Pay (Weixin Pay in China), which includes the last bill ID, bill type, transaction ID, date, and flag of the payment processed.

ANDROID PLUGIN SET IOS PLUGIN SET
baseinfo baseinfoaaa.dylib
filemanager FileManage
qq ios_qq
telegram ios_telegram
wechat ios_wechat
shell ShellCommandaaa
softlist SoftInfoaaa
wifi WifiList
locationmodule locationaaa.dylib
locationBaidu N/A
soundrecord EnvironmentalRecording
bill light
cameramodule Screenaaa
chatfile launchctl
N/A irc_loader
N/A ircbin.plist
N/A KeyChain
N/A browser

Relationship between iOS and Android commands (Source: ThreatFabric)

A complete report about LightSpy has been published by ThreatFabric, which provides detailed information about the threat vector, source code, analysis, and other information. 

Indicators of Compromise

Control servers:

DOMAINS

spaceskd[.]com

IPs

103.27.108[.]207

46.17.43[.]74

File hashes:

Second stage payload (smalmload.jar)

SHA256

407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c

bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99

The Core

SHA256 VERSION
68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce644541 6.5.24
5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc00 6.5.24
bdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc 6.5.25
9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd 6.2.1
a01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd3 6.5.19
77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b 6.2.0
d640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e 6.2.1
3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f 6.2.6
2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce4 5.2.1

The Plugins

Plugin name SHA256
softlist 7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112
baseinfo cc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89
bill c6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6
cameramodule bace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325
chatfile 7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b
filemanager e5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546
locationmodule bf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04
locationBaidu 177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1
qq f32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5
shell e1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be
soundrecord c0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e
telegram 71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486
wechat bcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1
wifi 446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.



Source link