Banking security firm ThreatFabric has found evidence that LightSpy, an iPhone spyware discovered in 2020, is more sophisticated than previously reported and may be linked to the infamous China-sponsored threat group APT41.
During the investigation, ThreatFabric researchers discovered new features in the LightSpy malware. The spyware was first used in an attack on iOS users in Hong Kong in January 2020.
These new features include 14 plugins responsible for private data exfiltration and a central implant supporting 24 commands, including the ability to collect device fingerprints, establish a full connection with the command and control server (C2) from the threat actor and retrieve orders from the server.
What is LightSpy spyware?
Three of the 14 LightSpy plugins were of particular importance to the researchers. These are:
- Location module pluginresponsible for tracking users’ current location via snapshots taken at specific time intervals.
- Sound Recording Plugin which can start microphone recording even during incoming phone calls. Additionally, the plugin can record WeChat VoIP audio conversations using a native library called libwechatvoipCoMm(dot)so.
- Invoice plugin: This plugin is responsible for stealing WeChat Pay payment history, which includes last invoice ID, invoice type, transaction ID, date, and payment processing flag.
These findings led ThreatFabric researchers to conclude that LightSpy was linked to DragonEgg, an Android spyware implant discovered by Lookout in July 2023 and attributed to the Chinese cyberespionage group APT41.
This is the first time a connection has been observed between LightSpy and APT41.
LightSpy’s infrastructure was also discovered to contain dozens of servers in mainland China, Hong Kong, Taiwan, Singapore, and Russia. The group’s main targets are believed to be located in the Asia-Pacific region.
“LightSpy was a comprehensive modular surveillance tool with a strong focus on exfiltrating victims’ private information such as fine-grained location data (including building floor number), audio recording during VOIP calls (and) exfiltration of payment data from the WeChat Pay backend infrastructure,” reads the report.
ThreatFabric researchers believe WyrmSpy (aka AndroidControl), another spyware discovered in July 2023 alongside DragonEgg, shares the same infrastructure as LightSpy and “could be its successor”.
Who are APT41?
APT41 is a hacking group formed in 2012 that reportedly has ties to China’s Ministry of State Security (MSS). He is also known as BARIUM, Double Dragon, Wicked Panda and Wicked Spider.
APT41 stands out from the rest of the cyber threat landscape by conducting both state-sponsored cyber espionage campaigns and financially motivated cyber crime heists.
While this is also the case for most North Korean threat groups, the logic behind APT41 is different. The group only carries out financially motivated cyberattacks on its downtime and without state authorization, while spending most of its time deploying espionage operations backed by the Chinese regime – an approach known as name “black work”.
Read more: China’s cyber power is bigger than the rest of the world combined