Reports have surfaced indicating that a malicious software known as Lightspy, previously associated with attacks on Android and iOS, has now been detected on MacOS. This development underscores the software’s broad data collection capabilities.
Lightspy is a modular spy framework designed to pilfer various types of information, such as files, screenshots, location data, voice calls from WeChat, and data from messaging apps like Telegram and QQ Messenger.
According to a new report from Threatfabric, a version of Lightspy for MacOS has been actively in use since January 2024. However, it has primarily been observed in test environments and on a few devices belonging to researchers.
Security experts managed to gain access to the LightSpy control panel by exploiting configuration vulnerabilities. This access provided them insight into the software’s features, infrastructure, and a list of infected devices.
The attackers are leveraging vulnerabilities in Webkit (cve-2018-4233 and cve-2018-4404) to execute code in Safari on MacOS versions 10.13.3 and earlier.
The malware initially delivers a 64-bit Mach-O binary file disguised as a PNG image (“20004312341.PNG”) to the device. This file then decrypts and executes embedded scripts to download the next stage.
The second stage involves loading an exploit to escalate privileges (“SSUDO”), a utility for encryption/decryption (“DDSS”), and a ZIP archive (“Mac.zip”) containing two executable files (“update” and “Update.PLIST”).
Subsequently, a script gains ROOT access on the infected device, establishes persistence in the system, and configures the “UPDATE” to run on system startup.
The Macirc Loader component then loads, decrypts, and executes Lightspy Core, responsible for managing spy software plugins and communicating with the command server. Lightspy Core can also run Shell commands, update network configurations, and schedule evasion activities.
While the Android and iOS versions of Lightspy utilize multiple plugins, the MacOS variant employs the following 10:
- SoundRecord: captures microphone audio
- Browser: extracts browser data
- Cameramramodule: