Keypoints
- LightSpy has resurfaced targeting individuals in Southern Asia, with VirusTotal submissions suggesting possible victims in India.
- The latest variant uses a modular framework named “F_Warehouse” with plugins for file theft (Telegram, QQ, WeChat), audio recording, camera capture, browser history harvesting, WiFi/network reconnaissance, and KeyChain credential extraction.
- Initial infection likely occurs via compromised/watering-hole news websites; a Loader downloads and decrypts the LightSpy core and additional encrypted plugins from the attacker server.
- Operators implement certificate pinning to prevent network inspection and interception of C2 traffic, hindering detection on monitored networks.
- Command-and-control infrastructure is tied to IP 103.27.109.217 (port 52202) with an admin panel (port 3458); multiple file hashes and plugin URLs are provided as IoCs.
- Technical artifacts include Mach-O64 binaries (Loader and core implant), multiple SHA256/MD5 hashes, a YARA rule targetting F_Warehouse strings, and Chinese-language code comments indicating likely Chinese-speaking developers.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial access appears to occur through “compromised news websites” used as watering-hole landing pages (‘compromised news websites’).
- [T1105] Ingress Tool Transfer – The Loader retrieves encrypted plugins and core components from the actor server and decrypts them before execution (‘downloads plugins… in an encrypted format, followed by decryption’).
- [T1005] Data from Local System – LightSpy searches for and exfiltrates local files, messaging app data, documents, and media from the device (‘search and steal files from the compromised mobile device’).
- [T1123] Audio Capture – The malware contains an audio recording plugin that covertly captures microphone audio for remote exfiltration (‘secretly record audio from the infected device’).
- [T1555] Credentials from Password Stores – The implant retrieves sensitive data stored in the user KeyChain to access credentials and tokens (‘retrieve user KeyChain data’).
- [T1059] Command and Scripting Interpreter – A shell-execution plugin allows the operator to run shell commands on the compromised device (‘execute shell commands received from the attacker’s malicious server’).
- [T1573] Encrypted Channel – Operators use certificate pinning to prevent traffic analysis and interception of communications with their C2 server (’employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server’).
Indicators of Compromise
- [IP/URL] Command-and-control – hxxps://103[.]27[.]109[.]217:52202 (C2 server hosting plugins and core), admin panel on port 3458.
- [File Hash – Loader/Core] Example hashes – 4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4 (Loader), 0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c (Core implant), and multiple other SHA256/MD5 hashes listed in the report.
<li/[File Names] Plugin and binary names – libLanDevices, libFileManage, libAudioRecorder, libKeyChains, libShellCommand, libBrowserHistory, libCameraShot, and other lib* plugin files.
<li/[File Type] Binary format – Mach-O64 executables (Loader and Core Implant) with sizes ~430,816 bytes (Loader) and ~1,252,656 bytes (Core).
<li/[URLs] Plugin paths – sample plugin URLs under the C2: hxxp://103[.]27[.]109[.]217:52202/963852741/mac/plugins/2e351c7b4de4d3b1, and other plugin endpoints (multiple listed).
The LightSpy infection chain begins with a Loader (Mach-O64) that fetches both an encrypted kernel and additional encrypted plugin modules from the actor-controlled server; each plugin is retrieved over the network, decrypted locally, and then loaded to extend the implant’s functionality. The Loader is responsible for decrypting the core LightSpy implant and dynamically loading plugins that provide capabilities such as targeted file collection from messaging apps (Telegram, QQ, WeChat), browser-history extraction for Safari/Chrome, camera image capture, microphone audio recording, WiFi network history harvesting, and enumeration of connected devices.
Plugins include a shell-execution module that accepts commands from the server, enabling broader remote control beyond passive data collection. Communications with the C2 at hxxps://103[.]27[.]109[.]217:52202 are protected by certificate pinning to prevent interception by network defenders; an administrator panel reachable on port 3458 contains operator-facing controls (login messages observed in Chinese). Detection controls provided include multiple SHA256/MD5 hashes for the Loader and core implant, file names (lib* plugins and C40F0D27), YARA rules matching F_Warehouse path strings, and the C2 plugin URLs documented in the report.
Defensive measures should focus on blocking/monitoring egress to the listed IP/URLs, scanning for the provided Mach-O64 hashes and lib* plugin filenames, applying the provided YARA rule patterns that reference F_Warehouse build paths, and looking for anomalous processes performing microphone/camera capture or decrypting and loading external modules. Because the campaign uses certificate pinning, network TLS inspection may not reveal C2 contents, so endpoint scanning for the stated binaries and behavioral indicators (file collection, shell command execution, KeyChain access) is critical.