Security Market Segment LS
Monday, 30 March 2020 09:41

Full-featured LightSpy malware deployed by iOS exploit chain

Full-featured LightSpy malware deployed by iOS exploit chain Image by hurk from Pixabay

Researchers from the Russian security firm Kaspersky say they have found a watering hole that uses a full remote iOS exploit chain to deploy an implant named LightSpy.

Alexey Firsh, Kurt Baumgartner and Brian Bartholomew provided an indication of the seriousness with which they regarded this discovery, saying in a detailed blog post that while the watering hole itself was discovered early in January, they had already released two private reports outlining the spread, exploits, infrastructure and LightSpy implants.

Private reports are only provided to paying customers and, after the US Government came down heavily on Kaspersky for the firm's repeated exposure of advanced persistent threats — otherwise known as APTs or attacks crafted by nation-states — which were authored by the NSA, the Russian company only provides details of APTs in private reports.

LightSpy appeared to be designed to target users in Hong Kong, the three researchers said, leading the reader to assume that it would have had Chinese origins. Firsh, Baumgartner and Bartholomew said they had temporarily named the APT group TwoSail Junk, a further hint at Chinese origins.

"Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity," the trio wrote. "And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor malware.

"Considering that this LightSpy activity has been disclosed publicly by our colleagues from Trend Micro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies."

Trend Micro's research, carried out by Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu, said the watering hole had "several webpages disguised as local news pages [which were] then injected with an iframe that loads an iOS exploit.

"The iOS exploit flow was designed to exploit vulnerable iOS versions 12.1 and 12.2 on several models ranging from the iPhone 6S to the iPhone X. Users with unpatched iPhones that access the concerned links will be infected with an iOS malware that can spy on and take full control of the devices. We found that the campaign tricked users into clicking on the malicious news links by posting them on popular forums in Hong Kong."

The additional information that Kaspersky provided covered the deployment timeline, the way the implant spread, infrastructure, and an Android implant and a pivot to related infrastructure.

The researchers noted that after the initial discovery on 10 January, they had noted major modifications on 7 February and minor ones on 5 March.

As to the additional means of spreading, the trio said they had noted that, while in past campaigns the attackers had used social network platforms and direct messaging, more recently Telegram channels and Instagram posts were also being used as vectors. The first watering hole was designed a well-known Hong Kong newspaper, Apple Daily, by copying and pasting HTML source code from the original.

"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Firsh, Baumgartner and Bartholomew observed.

"This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and 'evora' backdoor use."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments