MacOS Computer Users Suffer from LightSpy Spyware Attack

mac computer

Cybersecurity researchers have recently uncovered a previously undocumented variant of the LightSpy spyware targeting macOS users. Initially identified as a threat to Apple iOS users, this discovery indicates a broader scope of the malware’s capabilities. Huntress Labs and ThreatFabric independently analyzed the artifacts associated with this cross-platform malware framework, revealing its potential to infect multiple operating systems, including Android, iOS, Windows, macOS, Linux, and even routers from NETGEAR, Linksys, and ASUS.

Exploits Used by LightSpy

According to ThreatFabric, the threat actors utilized two publicly available exploits, CVE-2018-4233 and CVE-2018-4404, to deliver the implants on macOS. Notably, part of the CVE-2018-4404 exploit appears to be derived from the Metasploit framework, targeting macOS version 10 specifically.

Evolution and Connection to Other Malware

LightSpy was first reported publicly in 2020. Subsequent investigations by Lookout and a Dutch mobile security firm suggested possible connections between LightSpy and an Android surveillance tool known as DragonEgg. In April, BlackBerry disclosed a renewed cyber espionage campaign targeting South Asian users, delivering an iOS version of LightSpy. However, it has now been found that a more sophisticated macOS variant employs a plugin-based system to collect various types of information.

Current Campaign and Scope

While a sample of the spyware was recently uploaded to VirusTotal from India, Huntress researchers Stuart Ashenbrenner and Alden Schmidt caution against jumping to conclusions about an active campaign or regional targeting without more concrete evidence. ThreatFabric's analysis indicates that this macOS variant has been active since at least January 2024, though it appears to be limited to about 20 test devices.

Attack Mechanism

The attack initiates by exploiting CVE-2018-4233, a Safari WebKit vulnerability, through malicious HTML pages to execute code. This leads to the delivery of a 64-bit Mach-O binary disguised as a PNG image file. The binary then extracts and runs a shell script that fetches additional payloads: a privilege escalation exploit, an encryption/decryption utility, and a ZIP archive. The script assigns root privileges to the extracted files, setting up persistence for the spyware to launch after system restarts.

Capabilities of LightSpy

The macOS version of LightSpy supports ten plugins designed for various malicious activities. These include capturing audio from the microphone, taking photos, recording screen activity, harvesting and deleting files, executing shell commands, listing installed applications and running processes, and extracting data from web browsers (Safari and Google Chrome) and iCloud Keychain. Additionally, plugins enable the capture of information about other devices on the same network, the list of Wi-Fi networks the device has connected to, and details of nearby Wi-Fi networks.

Command-and-Control Infrastructure

The LightSpy Core component establishes contact with a command-and-control (C2) server, allowing it to receive commands and download plugins. Both the Core and plugins can be updated dynamically via C2 commands. ThreatFabric discovered a misconfiguration that allowed access to the C2 panel, which included information about victims and their associated data.

Broader Context of Mobile Threats

This discovery is part of a larger trend of malware targeting mobile devices. Android devices, for instance, have been attacked with known banking trojans like BankBot and SpyNote, particularly in Uzbekistan and Brazil, and via impersonation of a Mexican telecom provider to infect users in Latin America and the Caribbean. Concurrently, Access Now and the Citizen Lab reported Pegasus spyware attacks on Russian and Belarusian-speaking activists and journalists in Latvia, Lithuania, and Poland. These attacks, dating back to at least 2020, have intensified following Russia's invasion of Ukraine in February 2022. The NSO Group, which manufactures Pegasus spyware, stated it only sells its tools to nations allied with Israel and the U.S. and promised to investigate these reports.

The discovery of the LightSpy spyware variant for macOS highlights the evolving and sophisticated nature of cyber threats. This development underscores the importance of robust cybersecurity measures and continuous vigilance across all platforms to protect users from such pervasive and adaptive malware.

June 10, 2024

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.