Open Hunting - Threat Library

Openhunting Threat Library

lightSpy

(Type: Reconnaissance, Backdoor, Info stealer, Exfiltration)

(Trend Micro) The iOS malware, which we named 'lightSpy' (detected by Trend Micro as IOS_LightSpy.A), is a modular backdoor that allowed the attacker to remotely execute a shell command and manipulate files on the infected device. It is also implemented with several functionalities through different modules for exfiltrating data from the infected device including: • Hardware information • Contacts • Keychain • SMS messages • Phone call history • GPS location • Connected Wi-Fi history • Browser history of Safari and Chrome <br/>The malware also reports the surrounding environment of the device by: • Scanning local network IP address • Scanning available Wi-Fi network The campaign also employs modules specifically designed to exfiltrate data from popular messenger applications such as QQ, WeChat, and Telegram.

[News Analysis] Trends:

Total Trend: 4

Trend Per Year

2020

2023

Trend Per Month

Mar 2020

Oct 2023

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

LightSpy mAPT Mobile Payment System Attack

2023-10-02 by ThreatFabric from ThreatFabric

iOS exploit chain deploys LightSpy feature-rich malware

2020-03-26 by Alexey Firsh from Kaspersky Labs

Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links

2020-03-24 by Elliot Cao from Trend Micro

Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links

2020-03-24 by Elliot Cao from Trend Micro

Basic Information (Credit @etda.or.th)

Tool: lightSpy

Names: lightSpy

Description: (Trend Micro) The iOS malware, which we named 'lightSpy' (detected by Trend Micro as IOS_LightSpy.A), is a modular backdoor that allowed the attacker to remotely execute a shell command and manipulate files on the infected device. It is also implemented with several functionalities through different modules for exfiltrating data from the infected device including: • Hardware information • Contacts • Keychain • SMS messages • Phone call history • GPS location • Connected Wi-Fi history • Browser history of Safari and Chrome
The malware also reports the surrounding environment of the device by: • Scanning local network IP address • Scanning available Wi-Fi network The campaign also employs modules specifically designed to exfiltrate data from popular messenger applications such as QQ, WeChat, and Telegram.

Category: Malware

Type: Reconnaissance, Backdoor, Info stealer, Exfiltration

Information: https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf

Information: https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

Information: https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy

Last-card-change: 2021-04-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact