The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices. The malware’s core binaries were even signed with the same certificate used in jailbreak kits, indicating deep integration.
The C2 servers, active until October 26, 2022, hosted outdated malware, possibly for demonstration purposes but not as MaaS.
The iOS and macOS versions, while sharing core functions, differed in post-exploitation and privilege escalation techniques due to platform variations.
It exploited the CVE-2020-9802 vulnerability to gain access to the target device, which was fixed in iOS 13.5, but the threat actor bypassed CVE-2020-9870 and CVE-2020-9910, which were patched in iOS 13.6.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
By deploying a Mach-O binary executable, the exploit took advantage of a vulnerability known as CVE-2020-3837, which ultimately led to a jailbreak.
The jailbroken device downloaded and executed the FrameworkLoader, which further downloaded and executed the LightSpy Core and plugins, while the Core established communication with the C2 server for further malicious activities.
LightSpy iOS Implant is a multi-part archive containing a core library (LightSpy Core) and multiple plugins, which relies on jailbreak functionalities and communicates with the C2 server.
The network communication, database access, and archive extraction are all accomplished through the utilization of a variety of libraries.
After establishing a C2 connection, LightSpy Core parses configuration and distributes tasks to plugins, where the Core itself can play sounds and utilizes a network stack to communicate with plugins.
It offers various plugins for data exfiltration (contacts, messages, app data), location tracking, screen capturing, and even destructive actions like disabling boot up or deleting files.
The threat actors utilized self-signed certificates to establish infrastructure on IP address 103.27.109.217.
Open-source intelligence revealed multiple servers sharing this certificate. By sending GET requests to specific IP addresses and ports, researchers identified servers connected to the iOS campaign.
Threat Fabric’s investigation uncovered five key IP addresses associated with the campaign, two of which hosted administration panels.
While analysis based on source code file paths within the downloaded binaries suggests at least three developers worked on the LightSpy iOS project: two focused on plugin development and a lead developer responsible for the Core and privilege escalation components.
Xcode automatically inserts user and organization names into header files, which helped identify these developers.
File path variations within the same user account suggest possible use of multiple machines by the same developer.
The LightSpy iOS case reveals a sophisticated threat actor leveraging zero-day and one-day exploits to compromise devices, particularly those hindered by regional restrictions.
The attackers employ destructive capabilities to erase traces and demonstrate their tool’s potential, while the discovery of a location plugin tied to a Chinese-specific system strongly suggests Chinese origins.
To mitigate risks, users are advised to keep devices updated, reboot regularly to disrupt persistent attacks, and exercise caution in regions with restricted software updates.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
