May 30, 2024 at 07:15AM
The LightSpy surveillance framework, previously known for targeting Android and iOS, has now been found infiltrating macOS. It steals a wide range of data such as files, screenshots, location info, voice recordings, and payment details. The attackers use WebKit flaws to execute code within Safari and compromise macOS. LightSpy on macOS uses ten specific plugins for comprehensive data exfiltration. ThreatFabric confirmed the existence of implants for Windows, Linux, and routers but lacks details on their deployment in attacks.
Based on the meeting notes, the key takeaways are as follows:
1. LightSpy surveillance framework, originally known for targeting Android and iOS devices, has been discovered to have a macOS version, confirming its extensive reach.
2. The macOS implant is active in the wild since at least January 2024 and is currently limited to testing environments, with a handful of infected machines used by cybersecurity researchers.
3. ThreatFabric’s report highlights that the macOS infection chain involves the delivery of a 64-bit MachO binary disguised as a PNG image file, privilege escalation exploits, encryption/decryption utilities, and other executables to gain root access and establish persistence on the breached device.
4. The infection chain proceeds with the download, decryption, and execution of LightSpy Core, which acts as the central plugin management system responsible for communications with the command and control (C2) server.
5. The macOS version of LightSpy uses ten specific plugins, enabling comprehensive data exfiltration from infected systems with operational flexibility.
6. The report also mentions the existence of LightSpy implants for Windows, Linux, and routers, but further details on their use in attacks remain elusive.
Please let me know if you need further information or if there are other specific aspects you would like to focus on.