June 7, 2024 at 12:06PM
Cybersecurity researchers have discovered that the LightSpy spyware targeting Apple iOS users is actually an undocumented macOS variant, capable of infecting various platforms and devices. The macOS version has been active since January 2024, with capabilities to harvest various types of information and intercept communications. The ongoing development sheds light on increasing cyber espionage activities.
Key takeaways from the meeting notes:
– LightSpy spyware, previously thought to target Apple iOS users, has been found to be an undocumented macOS variant with the potential to infect a wide range of platforms and devices.
– The cyber espionage campaign has been refined to deliver a more sophisticated macOS version using a plugin-based system to harvest various information.
– An analysis by ThreatFabric revealed the macOS variant of LightSpy has been active in the wild since at least January 2024, but has been confined to just about 20 devices, most of which are test devices.
– The attack chain involves exploiting CVE-2018-4233, a Safari WebKit flaw, which leads to the delivery of a malicious binary that masquerades as a PNG image file, ultimately enabling the execution of shell scripts and the establishment of a connection with a command-and-control (C2) server.
– The macOS version of LightSpy comes with 10 different plugins for various surveillance activities, with the core component functioning as a command dispatcher that communicates with the C2 server and retrieves commands and plugins dynamically.
– Despite the focus on macOS, Android devices have also been targeted with banking trojans such as BankBot and SpyNote, while evidence of Pegasus spyware attacks targeting Russian- and Belarusian-speaking journalists and activists has also been uncovered by Access Now and the Citizen Lab.