Cybersecurity researchers have uncovered a “revamped” cyber espionage campaign targeting South Asian users with the aim of delivering an Apple iOS spyware implant called LightSpy.
“The latest version of LightSpy, called ‘F_Warehouse,’ boasts a modular structure with extensive spying capabilities,” the BlackBerry Threat Research and Intelligence Team said in a report published last week.
There is evidence to suggest that the campaign may have targeted India based on VirusTotal mailings originating from its borders.
First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor distributed via Watering Hole attacks via compromised news sites.
A subsequent analysis by ThreatFabric in October 2023 discovered infrastructure and functionality overlaps between the malware and an Android spyware known as DragonEgg, attributed to the Chinese state group APT41 (aka Winnti).
The initial vector of the intrusion is currently unknown, although it is suspected to be via news websites that have been hacked and are known to be visited regularly by the targets.
The starting point is a first-stage loader that acts as a launchpad for LightSpy’s main backdoor and its assorted plugins that are fetched from a remote server to perform data collection functions.
LightSpy is comprehensive and modular, allowing threat actors to collect sensitive information, including contacts, SMS messages, precise location data, and audio recordings during VoIP calls.
The latest version discovered by the Canadian cybersecurity firm further expands its capabilities to steal files and data from popular apps like Telegram, QQ and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome.
The complex spying framework also offers features to collect a list of connected Wi-Fi networks, details about installed apps, take photos using the device’s camera, record audio, and execute shell commands received from the server, possibly allowing it to hijack control of the system . infected devices.
“LightSpy uses certificate blocking to prevent detection and interception of communication with its command and control (C2) server,” Blackberry said. “Therefore, if the victim is on a network where traffic is analyzed, no connection to the C2 server will be established.”
Further examination of the facility’s source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. Additionally, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays an error message in Chinese when you enter incorrect login credentials.
The development comes as Apple said it has sent threat notifications to users in 92 countries, counting India, who may have been targeted by mercenary spyware attacks.
“The return of LightSpy, now powered by the versatile ‘F_Warehouse’ framework, signals an escalation in mobile espionage threats,” BlackBerry said.
“The malware’s expanded capabilities, including extensive data exfiltration, audio surveillance and potential full device control, pose a serious risk to targeted individuals and organizations in South Asia.”