A macOS version of the LightSpy spying framework, which has been operational since at least January 2024, was discovered by researchers.
ThreatFabric saw threat actors delivering macOS implants via two publicly accessible exploits (CVE-2018-4233, CVE-2018-4404). The specialists observed that the CVE-2018-4404 exploit most likely took some inspiration from the Metasploit framework.
Ten plugins are supported by the macOS version of LightSpy to extract confidential data from devices.
After being inactive for some months, the modular spyware LightSpy has returned with enhanced spying capabilities. It supports a modular structure.
LightSpy has the ability to steal data from a variety of well-known apps, including WeChat, QQ, and Telegram, in addition to private documents and media kept on the device. In addition, it has the ability to record audio and gather a variety of data, such as installed application details, WiFi connection lists, browsing histories, and even photos taken with the device's camera. Additionally, the virus gives attackers access to the device's OS, giving them the ability to run shell commands, get user lists and KeyChain data, and maybe take complete control of the device.
According to the researchers, several URLs with the number "96382741" were posted to VirusTotal on January 11, 2024. These URLs led to JavaScript and HTML files associated with the CVE-2018-4233 vulnerability that were posted on GitHub. The WebKit vulnerability affects macOS 10.13.3 and iOS versions prior to 11.4. The researchers discovered that the path name "96382741" has previously been used to host LightSpy malware files for both iOS and Android devices.
"The beginning point threat actor group employed the same strategy as for the dissemination of iOS implants, which involved exploiting a WebKit vulnerability in Safari to execute arbitrary code with no privileges. Attackers employed the CVE-2018-4233 vulnerability for macOS, whose source code was made public on August 18, 2018. reads the ThreatFabric study that was released. Because the flaw impacted both iOS and macOS WebKits, it's possible that iOS and macOS implants were distributed in the same manner for a while. The OS-specific lateral local privilege escalation made a difference.
Because of the design of the target computers, the plugins for the macOS version differ from those for other platforms. Compared to the mobile version, the desktop version notably offers less exfiltration features.
The panel's content originally surfaced as a web page backdrop on VirusTotal on March 21, 2024. The panel URL was linked to Android LightSpy and was discovered by VirusTotal the next day. After some preliminary investigation, it was discovered that the panel's code included a crucial error: it only tested for authorization after loading all scripts, temporarily allowing unauthorized users to see the authenticated view.
But there was a button that said "Remote control platform" in the upper right corner of the window, and it pointed to a different panel on the same control server. We were able to access this panel because of a catastrophic misconfiguration, and anyone could access the top-level panel in the same way. the report goes on. "All of the exfiltration data provided in the technical analysis section of this report fully correlates with the comprehensive information about victims contained in this panel."
It became clear that the threat actor group concentrated on listening in on victim communications, including voice recordings and messenger discussions, irrespective of the platform they were targeting. The study states, "A specialised plugin for network discovery was created specifically for macOS with the goal of identifying devices in close proximity to the victim. "Some components of the LightSpy problem remain mysterious even after our findings. There's no proof that Linux and router implants exist, and there's no information on possible delivery methods. However, panel examination has shown their potential utility.
Additionally, the researchers offered indications of compromise (IoC) for this particular malware variant.
.jpg)
0 Comments