LightSpy malware, responsible for a watering hole attack conducted against iOS users in Hong Kong, has been discovered to be embedded with Android implant Core and its 14 related plugins from 20 active servers for attacking mobile users.
LightSpy is a Mobile Advanced Persistent Threat (mAPT) that uses new and sophisticated techniques to attack mobile users. This malware has been confirmed to be attributed to the state-sponsored group APT41.
Recent reports indicate that the malware has been using WeChat payment systems to access payment data, monitor private communications, and for performing various malicious activities.
LightSpy APT Attacking WeChat Users
According to the reports shared with Cyber Security News, LightSpy malware was a fully-featured modular surveillance toolset that was found to be using various plugins for private and payment data exfiltration. Additionally, the malware is strongly focused on the private information of the victim.
Its features include payment data exfiltration from WeChat Pay using its backend infrastructure and gaining audio-related functions from WeChat to record victims’ VOIP conversations.
However, this malware cannot run as a standalone application as it is also a plugin. Moreover, the malware’s core is responsible for performing all the functions required for the entire attack chain.
The core functionalities include device fingerprint gathering, control server connection establishment, retrieving commands from the server and updating itself, and the additional payload files, otherwise called as plugins.
14 Plugins of LightSpy
Multiple plugins have been added to the malware which includes soft list, baseinfo, bill, cameramodule, chatfile, filemanager, locationmodule, locationBaidu, qq, shell, soundrecord, telegram, wechat, and wifi.
PLUGIN | VERSION | BRIEF DESCRIPTION |
softlist | 3.3.3 | Exfiltrates the list of installed/running applications and active usernames using toolbox/toybox utility and superuser access |
baseinfo | 2.3.4 | Exfiltrates contact list, call history, and SMS messages. Can send and delete SMS messages by the command |
bill | 1.2.18 | Exfiltrates payment history from WeChat Pay |
cameramodule | 2.6.1 | Takes camera shots. Can do one shot, continuous shot, or some event-related shot (for instance phone call) |
chatfile | 1.3.4 | Exfiltrates data from different messengers’ folders |
filemanager | 3.0.5 | File exfiltration plugin |
locationmodule | 2.6.5 | Precision location tracking plugin |
locationBaidu | 2.6.6 | Another location-tracking plugin using different frameworks and Android native APIs |
5.1.71 | Tencent QQ messenger database parsing and exfiltration plugin | |
shell | 2.2.4 | Remote shell plugin |
soundrecord | 2.7.4 | Sound recording plugin: environment, calls, VOIP calls audio exfiltration |
telegram | 7.3.221 | Telegram messenger data exfiltration plugin |
6.7.271 | WeChat data exfiltration plugin | |
wifi | 2.3.3 | Wi-Fi network data exfiltration plugin |
Source: ThreatFabric
One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking that can send a snapshot of the current location or can set up location tracking with specified time intervals. This plugin is based on two location-tracking frameworks: Tencent location SDK and Baidu location SDK.
Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start the microphone recording immediately or at specified intervals. Moreover, this plugin can also record incoming phone calls.
Bill plugin is another important plugin that is responsible for gathering information about the payment history of the victim from WeChat Pay (Weixin Pay in China), which includes the last bill ID, bill type, transaction ID, date, and flag of the payment processed.
ANDROID PLUGIN SET | IOS PLUGIN SET |
baseinfo | baseinfoaaa.dylib |
filemanager | FileManage |
ios_qq | |
telegram | ios_telegram |
ios_wechat | |
shell | ShellCommandaaa |
softlist | SoftInfoaaa |
wifi | WifiList |
locationmodule | locationaaa.dylib |
locationBaidu | N/A |
soundrecord | EnvironmentalRecording |
bill | light |
cameramodule | Screenaaa |
chatfile | launchctl |
N/A | irc_loader |
N/A | ircbin.plist |
N/A | KeyChain |
N/A | browser |
Relationship between iOS and Android commands (Source: ThreatFabric)
A complete report about LightSpy has been published by ThreatFabric, which provides detailed information about the threat vector, source code, analysis, and other information.
Indicators of Compromise
Control servers:
DOMAINS
spaceskd[.]com
IPs
103.27.108[.]207
46.17.43[.]74
File hashes:
Second stage payload (smalmload.jar)
SHA256
407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c
bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99
The Core
SHA256 | VERSION |
68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce644541 | 6.5.24 |
5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc00 | 6.5.24 |
bdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc | 6.5.25 |
9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd | 6.2.1 |
a01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd3 | 6.5.19 |
77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b | 6.2.0 |
d640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e | 6.2.1 |
3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f | 6.2.6 |
2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce4 | 5.2.1 |
The Plugins
Plugin name | SHA256 |
softlist | 7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112 |
baseinfo | cc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89 |
bill | c6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6 |
cameramodule | bace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325 |
chatfile | 7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b |
filemanager | e5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546 |
locationmodule | bf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04 |
locationBaidu | 177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1 |
f32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5 | |
shell | e1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be |
soundrecord | c0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e |
telegram | 71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486 |
bcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1 | |
wifi | 446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11 |
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.