LightSpy APT attacks WeChat users to steal payment data | spcilvly

LightSpy APT attacks WeChat users

The LightSpy malware, responsible for a watering hole attack carried out against iOS users in Hong Kong, has been found to be embedded in the core of the Android implant and its 14 related add-ons from 20 active servers to attack mobile users.

LightSpy is a mobile advanced persistent threat (mAPT) that uses new and sophisticated techniques to attack mobile device users. This malware has been confirmed to be attributed to the state-sponsored group APT41.

Recent reports indicate that malware has been using WeChat payment systems to access payment data, monitor private communications, and perform various malicious activities.

LightSpy APT attacks WeChat users

According to reports shared with Cyber ​​Security News, the LightSpy malware was a full-featured modular surveillance toolkit that used various plugins for exfiltration of private and paid data. Additionally, the malware focuses heavily on the victim’s private information.

Its features include exfiltrating WeChat Pay payment data using its backend infrastructure and obtaining WeChat audio-related features to record victims’ VOIP conversations.

However, this malware cannot run as a standalone application as it is also a plugin. Furthermore, the malware core is responsible for performing all functions necessary for the entire attack chain.

Core functionalities include collecting device fingerprints, monitoring server connection establishment, retrieving and updating server commands, and additional payload files, also called plug-ins.

14 LightSpy Plugins

Various plugins have been added to the malware including soft list, base information, invoice, camera module, chat file, file manager, location module, Baidu location, qq, shell, sound recording, telegram, wechat and wifi.

soft list 3.3.3 Exfilters the list of installed/running applications and active user names using the Toolbox/Toybox utility and superuser access.
basic information 2.3.4 Exfilters contact list, call history and SMS messages. You can send and delete SMS messages using the command
bill 1.2.18 Exfiltrate WeChat Pay payment history
camera module 2.6.1 Take pictures from the camera. You can take a shot, a continuous shot, or a shot related to an event (for example, a phone call)
chat file 1.3.4 Exfiltrates data from folders of different messengers.
file manager 3.0.5 File Exfiltration Plugin
location module 2.6.5 Precision Location Tracking Plugin
locationBaidu 2.6.6 Another location tracking plugin that uses different native Android frameworks and APIs
qq 5.1.71 Tencent QQ Messenger Database Exfiltration and Analysis Plugin
shell 2.2.4 Remote shell plugin
sound recording 2.7.4 Sound Recording Plugin – Environment, Calls, VOIP Call Audio Exfiltration
telegram 7.3.221 Telegram Messenger Data Leak Plugin
chat 6.7.271 WeChat Data Exfiltration Plugin
Wifi 2.3.3 Wi-Fi Network Data Exfiltration Plugin

Source: ThreatFabric

One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking and can send a snapshot of the current location or set location tracking with time intervals specific. This plugin is based on two location tracking frameworks: Tencent Location SDK and Baidu Location SDK.

Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start microphone recording immediately or at specific intervals. Additionally, this plugin can also record incoming phone calls.

Invoice plugin is another important plugin that is responsible for collecting information about the victim’s payment history of WeChat Pay (Weixin Pay in China), which includes the latest invoice ID, invoice type, transaction ID, the date and flag of the processed payment. .

basic information baseinfoaaa.dylib
file manager Manage files
qq ios_qq
telegram ios_telegram
chat ios_wechat
shell ShellCommandaaa
soft list SoftInfoaaaa
Wifi Wifi List
location module locationyyy.dylib
locationBaidu N/A
sound recording Ambient recording
bill light
camera module Screenyyy
chat file launchctl
N/A irc_loader
N/A ircbin.plist
N/A Key ring
N/A browser

Relationship between iOS and Android commands (Source: ThreatFabric)

ThreatFabric has published a comprehensive report on LightSpy, providing detailed information on the threat vector, source code, analysis, and other information.

Commitment indicators

Control servers:






File hashes:

Second stage payload (smalmload.jar)




The nucleus

68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce644541 6.5.24
5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc00 6.5.24
bdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc 6.5.25
9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd 6.2.1
a01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd3 6.5.19
77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b 6.2.0
d640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e 6.2.1
3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f 6.2.6
2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce4 5.2.1

The complements

Plugin name SHA256
soft list 7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112
base information cc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89
bill c6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6
camera module bace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325
chat file 7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b
file manager e5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546
location module bf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04
locationBaidu 177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1
qq f32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5
shell e1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be
sound recording c0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e
telegram 71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486
chat bcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1
Wifi 446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.

Leave a Reply

Your email address will not be published. Required fields are marked *