Hackers often target iOS due to its user base and perceived security vulnerabilities. Despite Apple’s robust security measures, the flaws in the OS and third-party apps can be exploited by threat actors that allow them to gain “unauthorized access” to devices.
ThreatFabric researchers recently discovered that LightSpy iOS malware has been upgraded to include 28 plugins with destructive capabilities.
LightSpy iOS Malware Upgraded
In May 2024, cybersecurity firm ThreatFabric uncovered significant developments in the LightSpy malware ecosystem that unveiled a “unified server infrastructure” that directed both “macOS” and “iOS” campaigns.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
Their investigation identified an advanced version of “LightSpy” for iOS (version 7.9.0, upgrading from version 6.0.0), which demonstrated substantial improvements in its malicious capabilities.
The malware’s architecture expanded to include 28 distinct plugins (increased from the original 12), with seven specifically designed plugins capable of disrupting device operations, particularly targeting the boot process through commands like “/usr/sbin/nvram auto-boot=false”.
Here below we have mentioned all 28 plugins:-
- AppDelete
- BaseInfo
- Bootdestroy
- Browser
- BrowserDelete
- cameramodule
- ContactDelete
- DeleteKernelFile
- DeleteSpring
- EnvironmentalRecording
- FileManage
- ios_line
- ios_mail
- ios_qq
- ios_telegram
- ios_wechat
- ios_whatsapp
- KeyChain
- landevices
- Location
- MediaDelete
- PushMessage
- Screen_cap
- ShellCommand
- SMSDelete
- SoftInfo
- WifiDelete
- WifiList
The threat actors extended their reach by supporting iOS versions up to 13.3, leveraging two critical security vulnerabilities:-
- ‘CVE-2020-9802’ for initial system access through WebKit exploitation.
- ‘CVE-2020-3837’ for gaining elevated system privileges.
The malware maintained communication through five active “C2” servers by using “WebSocket connections” for data transmission, with the most recent deployment timestamp recorded as October 26, 2022.
The infection chain began with an “HTML-based exploit delivery system,” followed by a jailbreak stage that deployed “FrameworkLoader” (also known as “ircloader”), which then facilitated the installation of the main “LightSpy Core” and its plugins.
Besides this the notable features included “AES ECB encryption” with the key “3e2717e8b3873b29” for “configuration data,” “SQL database implementation for command storage” (using light.db), and “sophisticated plugins.”
The plugins are ‘ios_mail’ targeting NetEase’s Mail Master application for email compromise, and ‘PushMessage’ for generating misleading push notifications through port 8087.
LightSpy operates via IP address “103.27.109[.]217” and uses “self-signed SSL certificates” for its “C2” infrastructure.
The malware employed “1-day exploits” (publicly disclosed vulnerabilities) and a “Rootless Jailbreak” technique that doesn’t persist after device reboots by targeting specific “iOS versions” via watering hole attacks (compromised legitimate websites).
The infrastructure contained two administrative panels on ports “3458” and “53501,” with an additional control server at “222.219.183[.]84.”
Analysis of exfiltrated data revealed 15 victims (8 iOS devices) primarily from “China” and “Hong Kong,” connected to a Wi-Fi network named “Haso_618_5G.”
The malware’s core functionality (version 7.9.0) included destructive capabilities like “contact list wiping” and “system component deletion,” implemented via various plugins.
Source code examination exposed development environments with distinct usernames (“air,” “mac,” and “test”) and file paths (/Users/air/work/znf_ios/ios/, /Users/mac/dev/iosmm/, etc.), suggesting a team of at least three developers.
Besides this, the technical indicators, including a “China-specific” coordinate recalculation system in the location plugin and Chinese language markers in “Xcode header files,” strongly suggest Chinese origin.
The effectiveness of the malware was partially limited by “iOS update cycles,” though users in regions affected by China’s Great Firewall remained vulnerable due to restricted access to system updates.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!