Security Market Segment LS
Monday, 30 March 2020 09:41

Full-featured LightSpy malware deployed by iOS exploit chain

Full-featured LightSpy malware deployed by iOS exploit chain Image by hurk from Pixabay

Researchers from the Russian security firm Kaspersky say they have found a watering hole that uses a full remote iOS exploit chain to deploy an implant named LightSpy.

Alexey Firsh, Kurt Baumgartner and Brian Bartholomew provided an indication of the seriousness with which they regarded this discovery, saying in a detailed blog post that while the watering hole itself was discovered early in January, they had already released two private reports outlining the spread, exploits, infrastructure and LightSpy implants.

Private reports are only provided to paying customers and, after the US Government came down heavily on Kaspersky for the firm's repeated exposure of advanced persistent threats — otherwise known as APTs or attacks crafted by nation-states — which were authored by the NSA, the Russian company only provides details of APTs in private reports.

LightSpy appeared to be designed to target users in Hong Kong, the three researchers said, leading the reader to assume that it would have had Chinese origins. Firsh, Baumgartner and Bartholomew said they had temporarily named the APT group TwoSail Junk, a further hint at Chinese origins.

"Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity," the trio wrote. "And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor malware.

"Considering that this LightSpy activity has been disclosed publicly by our colleagues from Trend Micro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies."

Trend Micro's research, carried out by Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu, said the watering hole had "several webpages disguised as local news pages [which were] then injected with an iframe that loads an iOS exploit.

"The iOS exploit flow was designed to exploit vulnerable iOS versions 12.1 and 12.2 on several models ranging from the iPhone 6S to the iPhone X. Users with unpatched iPhones that access the concerned links will be infected with an iOS malware that can spy on and take full control of the devices. We found that the campaign tricked users into clicking on the malicious news links by posting them on popular forums in Hong Kong."

The additional information that Kaspersky provided covered the deployment timeline, the way the implant spread, infrastructure, and an Android implant and a pivot to related infrastructure.

The researchers noted that after the initial discovery on 10 January, they had noted major modifications on 7 February and minor ones on 5 March.

As to the additional means of spreading, the trio said they had noted that, while in past campaigns the attackers had used social network platforms and direct messaging, more recently Telegram channels and Instagram posts were also being used as vectors. The first watering hole was designed a well-known Hong Kong newspaper, Apple Daily, by copying and pasting HTML source code from the original.

"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Firsh, Baumgartner and Bartholomew observed.

"This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and 'evora' backdoor use."

Read 5139 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News