The LightSpy malware, responsible for a watering hole attack carried out against iOS users in Hong Kong, has been found to be embedded in the core of the Android implant and its 14 related add-ons from 20 active servers to attack mobile users.
LightSpy is a mobile advanced persistent threat (mAPT) that uses new and sophisticated techniques to attack mobile device users. This malware has been confirmed to be attributed to the state-sponsored group APT41.
Recent reports indicate that malware has been using WeChat payment systems to access payment data, monitor private communications, and perform various malicious activities.
LightSpy APT attacks WeChat users
According to reports shared with Cyber Security News, the LightSpy malware was a full-featured modular surveillance toolkit that used various plugins for exfiltration of private and paid data. Additionally, the malware focuses heavily on the victim’s private information.
Its features include exfiltrating WeChat Pay payment data using its backend infrastructure and obtaining WeChat audio-related features to record victims’ VOIP conversations.
However, this malware cannot run as a standalone application as it is also a plugin. Furthermore, the malware core is responsible for performing all functions necessary for the entire attack chain.
Core functionalities include collecting device fingerprints, monitoring server connection establishment, retrieving and updating server commands, and additional payload files, also called plug-ins.
14 LightSpy Plugins
Various plugins have been added to the malware including soft list, base information, invoice, camera module, chat file, file manager, location module, Baidu location, qq, shell, sound recording, telegram, wechat and wifi.
|Exfilters the list of installed/running applications and active user names using the Toolbox/Toybox utility and superuser access.
|Exfilters contact list, call history and SMS messages. You can send and delete SMS messages using the command
|Exfiltrate WeChat Pay payment history
|Take pictures from the camera. You can take a shot, a continuous shot, or a shot related to an event (for example, a phone call)
|Exfiltrates data from folders of different messengers.
|File Exfiltration Plugin
|Precision Location Tracking Plugin
|Another location tracking plugin that uses different native Android frameworks and APIs
|Tencent QQ Messenger Database Exfiltration and Analysis Plugin
|Remote shell plugin
|Sound Recording Plugin – Environment, Calls, VOIP Call Audio Exfiltration
|Telegram Messenger Data Leak Plugin
|WeChat Data Exfiltration Plugin
|Wi-Fi Network Data Exfiltration Plugin
One of the most important plugins, as mentioned in the report, was the location module plugin, which was responsible for location tracking and can send a snapshot of the current location or set location tracking with time intervals specific. This plugin is based on two location tracking frameworks: Tencent Location SDK and Baidu Location SDK.
Another important plugin was the Soundrecord plugin, which is responsible for recording audio. This plugin can also start microphone recording immediately or at specific intervals. Additionally, this plugin can also record incoming phone calls.
Invoice plugin is another important plugin that is responsible for collecting information about the victim’s payment history of WeChat Pay (Weixin Pay in China), which includes the latest invoice ID, invoice type, transaction ID, the date and flag of the processed payment. .
|SET OF ADDITIONS FOR ANDROID
|IOS PLUG-IN SET
Relationship between iOS and Android commands (Source: ThreatFabric)
ThreatFabric has published a comprehensive report on LightSpy, providing detailed information on the threat vector, source code, analysis, and other information.
Second stage payload (smalmload.jar)
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.