Tentacles of notorious spyware tool LightSpy ensnare macOS

A malicious surveillance framework dubbed LightSpy has been expanded to target macOS systems, according to research by Threat Fabric. Ten plugins were designed to access a camera and sound recording and exfiltrate other private information from older affected systems.

LightSpy is a fully-featured modular surveillance tool that hackers use to obtain payment data, location, sound recordings during VOIP calls, and other private information from Android and iOS devices. During previous campaigns, researchers discovered active servers utilized by threat actors in China, Singapore, and Russia.

Now, Threat Fabric has collected evidence that the spyware tool also has the functionality to target macOS systems, albeit older ones. The threat actor group used two publicly available exploits to deliver implants for macOS version 10, released in 2017.

The spyware samples were recently uploaded to VirusTotal and appear to function in testing environments.

Researchers initially thought that a malicious actor had started a new campaign targeting a more recent macOS version. However, after checking the known hosts related to LightSpy, they managed to access one instance of the administration panel. After analyzing the list of victims inside, researchers concluded that no real victims were present, only attacker test machines or security researchers’ devices.

The macOS implant has a core component and ten plugins to exfiltrate data like audio recordings, browser history, keychain contents, nearby WiFi networks, installed apps, etc.

“We are certain that LightSpy for macOS echoes a campaign conducted a few years ago. Nonetheless, investigating this sophisticated spyware toolset was still intriguing, offering insights into the goals of the threat actor and the specific information they sought,” researchers said.

Despite this, the spyware demonstrates the threat actor group’s focus on intercepting victim communications, such as messenger conversations and voice recordings.

Most prior research has attributed LightSpy to a Chinese threat actor, APT 41, also known as Barium.

Threat Fabric researchers are not the first to claim LightSpy is used to target macOS. On April 25th, Huntress researchers shared the discovery of the LightSpy version targeting x86_64 architecture macOS. The spyware had these ten plugins:

  • AudioRecorder
  • BrowserHistory
  • CameraShot
  • FileManage
  • KeyChains
  • LanDevices
  • ProcessAndApp
  • ScreenRecorder
  • ShellCommand
  • WifiList

“While this sample was uploaded to VirusTotal recently from India, this isn't a particularly strong indicator of an active campaign, nor targeting within the region. It's a contributing factor, but without more concrete evidence or visibility into delivery mechanisms, it should be taken with a heavy grain of salt,” Huntress researchers said previously.

In an attempt to thwart threat actors, Apple has introduced new features to their OS, such as Lockdown Mode, additional TCC restrictions, and constantly evolving XProtect/XProtectRemediator modules designed to protect the end user.