The campaign distributing LightSpy differs in several ways to the traditional watering hole attack. One of the key differences is that the attackers created a website to mimic a popular website. In this instance researchers discovered that a clone of the news website Daily Apple, a popular website hosted in Hong Kong, was created to distribute LightSpy. To get users to visit the cloned website various links were posted on several platforms redirecting users to the clone website. Once the visitor accesses the website controlled by the attacker the site loads exploits onto the visitor’s device which subsequently installs LightSpy. More on the malware to follow.
The specific vulnerability exploited by the attackers has been compared to CVE-2019-8605 which was silently patched by Apple in newer iOS versions. If the victim has not updated their device then the vulnerability when exploited enables the attacker to gain root privileges over the device. The silently patched bug has no CVE number as of yet but some researchers have noted a number of failed patch attempts to address this particular vulnerability.
Once root privileges are attained and access to the device granted the attacker will install LightSpy. The vulnerability has been found to affect iOS versions 12.1 and 12.2, this implies that iPhone models from 6S to X are vulnerable to infection. The malware payload itself is a new and previously unseen piece of spyware primarily focussed on data exfiltration. Researchers at TrendMicro explained that,
“We chose to give this new threat the name lightSpy, from the name of the module manager, which is light. We also note that a decoded configuration file that the launchctl module uses includes a URL that points to a /androidmm/light location, which suggests that an Android version of this threat exists as well…One more note: The file payload.dylib is signed with the legitimate Apple developer certificate, and was only done so on November 29, 2019. This places a definite time stamp on the start of this campaign’s activity.”
TrendMicro has further published a technical analysis of the new spyware targeting users in Hong Kong. The analysis goes into far more detail than the article and is recommended reading for those interested. In summary, the malware is a modular backdoor that allows the threat actor to remotely execute a shell command and manipulate files on the affected device. This would allow an attacker to spy on a user’s device, as well as take full control of it. It contains different modules for exfiltrating data from the infected device, which includes: connected WiFi history, contacts, GPS location, hardware information, iOS keychain, phone call history, Safari, and Chrome browser history, SMS messages. Further, the malware can gain information relating to available WiFi networks and local network IP addresses. The malware is also capable of exfiltrating data associated with popular messaging apps, these include Telegram, QQ, and WeChat.
In order to carry out the above functions, the malware has been written to include modules that carry out specific tasks. The modular nature of the malware means that it can easily be updated to add more functionality at later dates. These support the theory that the campaign has been carried out by a sophisticated advanced persistent threat (APT) group. The code consists of the following modules:
- dylib – acquires and uploads basic information such as iPhone hardware information, contacts, text messages, and call history
- ShellCommandaaa – executes shell commands on the affected device; any results are serialized and uploaded to a specified server
- KeyChain – steals and uploads information contained in the Apple KeyChain
- Screenaaa – scans for and pings devices on the same network subnet as the affected device; the ping’s results are uploaded to the attackers
- SoftInfoaaa – acquires the list of apps and processes on the device
- FileManage – performs file system operations on the device
- WifiList – acquires the saved Wi-Fi information (saved networks, history, etc.).
- Browser – acquires the browser history from both Chrome and Safari.
- Locationaaa – gets the user’s location.
- ios_wechat – acquires information related to WeChat, including account information, contacts, groups, messages, and files.
- ios_qq – similar to the WeChat module but for QQ.
- ios_telegram – similar to the previous two modules, but for Telegram.
Researchers noted the similarities between LightSpy and a previous campaign targeting Android users, dating back to 2019. One of the key differences other than the targeted operating system was that the Android version, called dmsSpy was distributed via Telegram pretending to useful apps. The fake app, in particular, was advertised as a calendar app containing protest schedules in Hong Kong. It contains many features that we frequently see in malicious apps, such as requests for sensitive permissions, and the transmission of sensitive information to a C&C server. This includes seemingly safe information such as the device model used but includes more sensitive information such as contacts, text messages, the user’s location, and the names of stored files. dmsSpy also registers a receiver for reading newly received SMS messages, as well as dialing USSD codes.
Kaspersky Labs has also been tracking the iOS spyware. Although it appears the campaign is focussed on Hong Kong and Chinese interests it may be deployed in campaigns targeting wider geographies, to that extent researchers advise that users take the following precautions:
- Install the latest version of the operating system. If you are reluctant to do so because of issues with iOS 13, the current version (13.4) has addressed a number of those issues including reported Wi-Fi bugs and other irritants.
- Be very careful when following links, especially links sent by strangers. Even if they appear at first glance to point to a known website, checking the address carefully doesn't hurt and those few seconds spent can prevent a malware infection.
Currently, Kaspersky researchers are referring to the APT group behind the campaign as “TwoSail Junk”. There is a belief that the APT group may be related to a long-running Chinese-speaking APT group, previously reported on as Spring Dragon, sometimes also referred to as Lotus Blossom or Billbug(Thrip). The APT group is perhaps best known for the deployment of custom malware and in particular their Lotus Elise and Evora backdoor malware. The group has been known to employ watering hole attacks in the past, often employing fake Flash player updates. The group’s operations seemed to mainly target Vietnam and Taiwan as well as Myanmar. Evidence of the group’s activities potentially dates back to 2012 but 2015 and 2017 seem to be landmark years for the group with numerous campaigns being detected targeting South-East Asian countries. Since 2017 the group’s activity seems to have decreased drastically. In 2017 Kaspersky researchers concluded,
“Spring Dragon is one of many long-running APT campaigns by unknown Chinese-speaking actors. The number of malware samples which we managed to collect (over 600) for the group surpassed many others and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this…We believe that Spring Dragon is going to continue resurfacing regularly in the Asian region and it is therefore worthwhile having good detection mechanisms (such as Yara rules and network IDS signatures) in place. We will continue to track this group going forward and, should the actor resurface, we will provide updates on its new modus operandi.”
Much of the evidence which may prove to link TwoSail Junk and Spring Dragon centers around the use of similar infrastructure networks previously used in the distribution of the Evora backdoor. This led researchers to conclude,
“This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.”