MacOS Computer Users Suffer from LightSpy Spyware Attack

mac computer

Cybersecurity researchers have recently uncovered a previously undocumented variant of the LightSpy spyware targeting macOS users. Initially identified as a threat to Apple iOS users, this discovery indicates a broader scope of the malware’s capabilities. Huntress Labs and ThreatFabric independently analyzed the artifacts associated with this cross-platform malware framework, revealing its potential to infect multiple operating systems, including Android, iOS, Windows, macOS, Linux, and even routers from NETGEAR, Linksys, and ASUS.

Exploits Used by LightSpy

According to ThreatFabric, the threat actors utilized two publicly available exploits, CVE-2018-4233 and CVE-2018-4404, to deliver the implants on macOS. Notably, part of the CVE-2018-4404 exploit appears to be derived from the Metasploit framework, targeting macOS version 10 specifically.

Evolution and Connection to Other Malware

LightSpy was first reported publicly in 2020. Subsequent investigations by Lookout and a Dutch mobile security firm suggested possible connections between LightSpy and an Android surveillance tool known as DragonEgg. In April, BlackBerry disclosed a renewed cyber espionage campaign targeting South Asian users, delivering an iOS version of LightSpy. However, it has now been found that a more sophisticated macOS variant employs a plugin-based system to collect various types of information.

Current Campaign and Scope

While a sample of the spyware was recently uploaded to VirusTotal from India, Huntress researchers Stuart Ashenbrenner and Alden Schmidt caution against jumping to conclusions about an active campaign or regional targeting without more concrete evidence. ThreatFabric's analysis indicates that this macOS variant has been active since at least January 2024, though it appears to be limited to about 20 test devices.

Attack Mechanism

The attack initiates by exploiting CVE-2018-4233, a Safari WebKit vulnerability, through malicious HTML pages to execute code. This leads to the delivery of a 64-bit Mach-O binary disguised as a PNG image file. The binary then extracts and runs a shell script that fetches additional payloads: a privilege escalation exploit, an encryption/decryption utility, and a ZIP archive. The script assigns root privileges to the extracted files, setting up persistence for the spyware to launch after system restarts.

Capabilities of LightSpy

The macOS version of LightSpy supports ten plugins designed for various malicious activities. These include capturing audio from the microphone, taking photos, recording screen activity, harvesting and deleting files, executing shell commands, listing installed applications and running processes, and extracting data from web browsers (Safari and Google Chrome) and iCloud Keychain. Additionally, plugins enable the capture of information about other devices on the same network, the list of Wi-Fi networks the device has connected to, and details of nearby Wi-Fi networks.

Command-and-Control Infrastructure

The LightSpy Core component establishes contact with a command-and-control (C2) server, allowing it to receive commands and download plugins. Both the Core and plugins can be updated dynamically via C2 commands. ThreatFabric discovered a misconfiguration that allowed access to the C2 panel, which included information about victims and their associated data.

Broader Context of Mobile Threats

This discovery is part of a larger trend of malware targeting mobile devices. Android devices, for instance, have been attacked with known banking trojans like BankBot and SpyNote, particularly in Uzbekistan and Brazil, and via impersonation of a Mexican telecom provider to infect users in Latin America and the Caribbean. Concurrently, Access Now and the Citizen Lab reported Pegasus spyware attacks on Russian and Belarusian-speaking activists and journalists in Latvia, Lithuania, and Poland. These attacks, dating back to at least 2020, have intensified following Russia's invasion of Ukraine in February 2022. The NSO Group, which manufactures Pegasus spyware, stated it only sells its tools to nations allied with Israel and the U.S. and promised to investigate these reports.

The discovery of the LightSpy spyware variant for macOS highlights the evolving and sophisticated nature of cyber threats. This development underscores the importance of robust cybersecurity measures and continuous vigilance across all platforms to protect users from such pervasive and adaptive malware.

By Zane
June 10, 2024
Mac Malware
English
June 10, 2024
Mac Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Understanding EU ATM Malware: A Growing Cyber Threat

13 days ago

What is BO Team Ransomware?

6 months ago

Error: Ox800VDS Pop-up Scam

3 months ago

Roun.co.in: What is this Browser Hijacker

12 days ago

How To Stop and Remove the GuardGo Browser Extension and Hijacker

17 days ago

Related Posts

Mac Malware

macOS.Macma

macOS.Macma is a threat that can allow an ill-minded hacker to access and control our PC. This way, the hackers can monitor their victims and collect any information they please. Various APT (Advanced Persistent... Read more

December 28, 2021
Mac Malware

RShell Malware Targets MacOS Users

RShell is the name of a piece of malware that is attributed to a Chinese advanced persistent threat actor known by several aliases, most notably APT27 and LuckyMouse. RShell was discovered by a research team with... Read more

August 15, 2022
Adware, Mac Malware

MacOS Users Beware of the FlightRemote Adware Threat

MacOS users should be cautious of the FlightRemote adware threat, as it has been identified as part of the AdLoad malware family following analysis. This adware operates by inundating users with unwanted and deceptive... Read more

May 2, 2024
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.