Banking safety agency ThreatFabric has discovered proof that LightSpy, an iPhone spy ware found in 2020, is extra refined than beforehand reported and might be linked to the notorious Chinese language-sponsored menace group APT41.
In the course of the investigation, ThreatFabric researchers found new options within the LightSpy malware. The spy ware was first utilized in a watering gap assault in opposition to iOS customers in Hong Kong in January 2020.
These new options embody 14 plugins chargeable for personal information exfiltration and a core implant that helps 24 instructions, together with the power to assemble machine fingerprints, set up a full reference to the menace actor’s command-and-control (C2) server, and retrieve orders from the server.
What Is LightSpy Adware?
Three of the 14 LightSpy plugins have been of specific significance to the researchers. These are:
- Location module plugin, chargeable for monitoring customers’ present location through snapshots taken throughout particular time intervals.
- Sound file plugin which might begin a microphone recording, even throughout incoming cellphone calls. Moreover, the plugin can file WeChat VoIP audio conversations utilizing a local library known as libwechatvoipCoMm[dot]so.
- Invoice plugin: This plugin is chargeable for stealing the cost historical past of WeChat Pay, which incorporates the final invoice ID, invoice kind, transaction ID, date, and cost processing flag.
These findings led the ThreatFabric researchers to conclude that LightSpy was linked to DragonEgg, an Android spy ware implant found by Lookout in July 2023 and attributed to the Chinese language cyber espionage group APT41.
That is the primary time there was a connection noticed between LightSpy and APT41.
It was additionally found that LightSpy’s infrastructure comprises dozens of servers in mainland China, Hong Kong, Taiwan, Singapore and Russia. The group’s main targets are estimated to be situated within the Asia-Pacific area.
“LightSpy was a fully-featured modular surveillance instrument set with a powerful give attention to sufferer personal data exfiltration reminiscent of fantastic location information (together with constructing flooring quantity), sound recording throughout VOIP calls [and] cost information exfiltration from WeChat Pay backend infrastructure,” reads the report.
ThreatFabric researchers imagine that WyrmSpy (aka AndroidControl), one other spy ware discovered in July 2023 alongside DragonEgg, shares the identical infrastructure as LightSpy and “might be its successor.”
Who Are APT41?
APT41 is a hacking group fashioned in 2012 with alleged ties to the Chinese language Ministry of State Safety (MSS). It is usually often called BARIUM, Double Dragon, Depraved Panda and Depraved Spider.
APT41 stands out from the remainder of the cyber menace panorama because it conducts each state-sponsored cyber espionage campaigns and financially motivated cybercrime heists.
Though that is additionally the case for many North Korean menace teams, the rationale behind APT41 is totally different. The group solely performs financially motivated cyber-attacks in its downtime and with out state authorization whereas spending most of its time deploying espionage operations supported by the Chinese language regime – an method often called “moonlighting.”
Read more: Chinese Cyber Power Bigger Than the Rest of the World Combined
