Researchers in the field of cybersecurity have unearthed a “fresh” cyber espionage endeavor focusing on individuals in South Asia, aiming to distribute an Apple iOS spyware tool referred to as LightSpy.
“The latest iteration of LightSpy, denoted as ‘F_Warehouse,’ showcases a modular structure replete with extensive espionage functionalities,” elucidated the BlackBerry Threat Research and Intelligence Team in a recent publication.
Indications hint that the operation might have aimed at India, as evidenced by VirusTotal submissions originating from the nation’s confines.
Initially documented in 2020 by Trend Micro and Kaspersky, LightSpy denotes a sophisticated iOS backdoor disseminated through watering hole assaults executed via compromised news portals.
Subsequent scrutiny from ThreatFabric in October 2023 disclosed overlaps in infrastructure and functionalities between this malware and an Android espionage tool known as DragonEgg, attributed to the Chinese state-affiliated entity APT41 (also known as Winnti).
The entry point remains undisclosed at present, though suspicion looms over news sites infiltrated and frequented by the targeted populace.
The primary interface functions as a precursor to the core LightSpy backdoor and its various add-ons sourced from a remote server to execute data acquisition operations.
LightSpy, possessing comprehensive functionalities and modularity, empowers threat actors to amass sensitive data encompassing contacts, SMS communications, precise geolocation data, and voice recordings from VoIP conversations.
The latest iteration unearthed by the Canadian cybersecurity entity extends its reach to file pilferage and data extraction from prominent applications such as Telegram, QQ, and WeChat, alongside iCloud Keychain data and web browsing histories from Safari and Google Chrome.
This intricate espionage framework also offers the ability to compile a roster of connected Wi-Fi networks, insights into installed applications, capture imagery via the device’s camera, record audio, and execute directives received from the server, likely facilitating complete hijack of compromised devices.
“LightSpy employs certificate pinning as a countermeasure against detection and interception of communications with its command-and-control (C2) server,” disclosed Blackberry. “Thus, in scenarios where network traffic is under scrutiny, connection to the C2 server remains elusive.”
Further examination of the implant’s source code hints at involvement from native Chinese speakers, indicating potential state-backed involvement. Moreover, LightSpy communicates with a server stationed at 103.27[.]109[.]217, which houses an administrative interface featuring Chinese error messages upon incorrect login attempts.
This development coincides with Apple’s dissemination of threat notifications to users in 92 countries, including India, warning of potential attacks by mercenary spyware.
“The resurgence of LightSpy, now equipped with the versatile ‘F_Warehouse’ architecture, signifies an escalation in mobile espionage threats,” remarked BlackBerry.
“The expanded repertoire of the malware, encompassing extensive data exfiltration, auditory surveillance, and possible complete device takeover, poses a significant risk to targeted individuals and entities across Southern Asia.”