LightSpy spyware masquerades as macOS
Cybersecurity researchers have revealed that the LightSpy spyware, initially believed to target Apple iOS users, is actually an unpublished version for macOS.
Analyses by Huntress Labs and ThreatFabric showed that the malware has the capability to infect Android, iOS, Windows, macOS, Linux, and routers from NETGEAR, Linksys, and ASUS. The threat group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver implants for macOS. LightSpy was publicly reported in 2020 and has been linked to the Android surveillance tool DragonEgg. In April, BlackBerry revealed a new cyber-espionage campaign in South Asia, but it has now been found that it is a macOS version using a plugin system for information collection.
ThreatFabric’s analysis showed that the macOS version has been active since January 2024 but is limited to about 20 devices. The attack begins with the exploitation of CVE-2018-4233, a bug in Safari WebKit, leading to code execution and the delivery of a 64-bit Mach-O binary disguised as a PNG file. The binary executes a shell script that brings in three additional payloads: a privilege escalation exploit, an encryption/decryption tool, and a ZIP file. The “update” file functions as a loader for the LightSpy Core, allowing it to communicate with a C2 server and download plugins, supporting 10 different ones for audio recording, photo capturing, screen activity logging, and more.
The cybersecurity company discovered a misconfiguration that allowed access to a remote control platform with victim information. The threat group targeted victim communications. Android devices were targeted with banking trojans in Latin America. Research revealed Pegasus spyware attacks on Russian and Belarusian activists and journalists since 2020, with an increase after the invasion of Ukraine in 2022. The NSO Group stated that it sells its tools only to allies of Israel and the USA and will start an investigation into potential service terminations.
