The threat actor known as LightSpy has been identified for exploiting publicly available vulnerabilities as well as jailbreak kits to compromise iOS devices. What sets this malware apart is its deep integration with jailbreak kits as its core binaries were signed with the same certificate used in such kits. This level of integration indicates a sophisticated approach by the threat actor.
The command and control (C2) servers associated with LightSpy were active until October 26, 2022. These servers were found to host outdated malware, leading researchers to believe that they may have been used for demonstration purposes rather than offering malicious activities as a service.
One interesting aspect of LightSpy is the difference in techniques used for iOS and macOS devices. While the core functions are shared between the two platforms, post-exploitation and privilege escalation techniques vary due to platform-specific variations. This shows how adaptable the threat actor behind LightSpy is in targeting different operating systems effectively.
CVE-2020-9802 was exploited by LightSpy to gain access to iOS devices. Although this vulnerability had been patched in iOS 13.5, the threat actor managed to bypass other patched vulnerabilities such as CVE-2020-9870 and CVE-2020-9910, which were addressed in iOS 13.6. By deploying a Mach-O binary executable, the exploit took advantage of CVE-2020-3837, leading to a jailbreak.
The jailbroken device then downloaded and executed the FrameworkLoader, which further fetched the LightSpy Core and plugins. The communication with the C2 server was established by the Core for carrying out malicious activities. LightSpy iOS Implant includes a core library (LightSpy Core) and various plugins that rely on jailbreak functionalities to communicate with the C2 server. The threat actors behind LightSpy utilized self-signed certificates to establish infrastructure on an IP address, with multiple servers sharing this certificate.
An investigation into LightSpy uncovered five key IP addresses associated with the campaign, two of which hosted administration panels. Source code file paths within the downloaded binaries suggested the involvement of at least three developers in the LightSpy iOS project, specializing in plugin development and core functionalities. The discovery of a location plugin tailored to Chinese-specific systems strongly suggests a Chinese origin for the threat actor behind LightSpy.
The sophisticated nature of the LightSpy iOS case underscores the importance of keeping devices updated, rebooting regularly to disrupt persistent attacks, and exercising caution in regions with restricted software updates. Users are advised to stay vigilant and follow best practices to mitigate the risks posed by such advanced threats. The LightSpy incident serves as a stark reminder of the evolving threat landscape and the need for cybersecurity measures to keep pace with emerging challenges.