Threat Research

LightSpy: Implant for macOS

Securonix

LightSpy macOS is part of a broader LightSpy surveillance framework targeting multiple platforms, with a modular core and plugins designed to exfiltrate a wide range of data and maintain control. The article analyzes the macOS implant chain, including initial exploitation, a downloader, a persistence mechanism, and a complex core/plugin architecture, and notes panel misconfigurations that exposed victim data.
#LightSpy #MacOS #Macircloader #CVE-2018-4233 #CVE-2018-4404 #ThreatFabric

Keypoints

  • LightSpy for macOS is presented as part of a cross-platform framework that previously targeted Android and iOS and planned Windows, macOS, Linux, and routers.
  • The macOS branch leverages two publicly available exploits (CVE-2018-4233 and CVE-2018-4404) to deliver implants, with the RCE trigger described as enabling unprivileged code execution in WebKit.
  • An intermediate downloader binary (20004312341.png) contains a single function (_injection) and is decrypted/launched to proceed with the infection chain.
  • The malware uses launchd-based persistence (launchecrtl) to start an updated component at every boot and includes a complex Core (C40F0D27) that orchestrates plugins and C2 communication via WebSocket.
  • macOS plugins cover audio, browser history, camera, file management, Keychain, network, process/app discovery, screen capture, remote shell, and Wi‑Fi data, enabling extensive exfiltration.
  • A misconfigured “Remote control platform” panel exposed victim data, suggesting the operators’ infrastructure could be monitored or abused by others; several victim groups appear to be older devices or researchers.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The threat actor group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver implants for macOS. “The Threat actor group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver implants for macOS.”
  • [T1105] Ingress Tool Transfer – The intermediate downloader 20004312341.png is actually a MachO x86_64 binary, downloaded as part of the infection chain. “This ‘20004312341.png’ is actually MachO x86_64 binary executable file.”
  • [T1543.003] Create or Modify System Process: Launch Daemons – The downloader script decrypts and unpacks mac.zip, then uses launchd to persist, causing the “update” binary to start at each boot. “archive persistence on the system using launchecrtl. Starting from that moment ‘update’ binary will start during each system boot-up.”
  • [T1140] Deobfuscate/Decode Files or Information – The decryption uses XOR and mirrors the Android decryption. “The decryption will be done using XOR, the decryption algorithm is identical to LightSpy Android plugin decryption.”
  • [T1059.004] Unix Shell – The final Stage 2 uses a plain Bash script to download and execute further payloads. “The resulting script is a plain Bash script that will download three more files using curl utility.”
  • [T1046] Network Service Discovery / [T1018] System Network Configuration Discovery – macOS plugin LanDevices discovers networked devices in the local environment. “This plugin is based on SimplePing framework which is used for pinging the host and checking the availability of the corresponding device.”
  • [T1057] Process Discovery / [T1518] Software Discovery – Softlist exfiltrates installed applications and running processes. “Exfiltrate the list of installed applications” and “Exfiltrate the list of currently running processes”
  • [T1059.001] Command and Scripting Interpreter: macOS/Unix Shell – ShellCommand plugin provides a remote shell capability. “Remote shell plugin”
  • [T1041] Exfiltration Over C2 Channel – Data and command results are sent as JSON objects over WebSocket via SendCommandOver. “The results of gathering data as well as command execution results will be JSON objects that will be sent using SendCommandOver function.”
  • [T1555.003] Credentials from Password Stores: Keychain – Keychain plugin exfiltrates passwords, certificates, and keys from Keychain. “This plugin is responsible for the exfiltration of passwords, certificates, and keys from Keychain.”
  • [T1049] System Network Connections Discovery / [T1046] Network Service Discovery – Wi-Fi plugin exfiltrates nearby networks and connection history using system data. “Wi-Fi nearby list and Wi-Fi connection history exfiltration plugin.”

Indicators of Compromise

  • [IP] 103.27.109.217 – Control server address associated with the macOS campaign panel and related infrastructure.
  • [SHA256] 8a4f8a755ca123e9c3aa77b525f59ce99f1f2e288afc2e29afb6d15573776a16, 4cbc70b1c7d4ccc593fad895299e88a6734c8f4687f37f43850996f7fa076df9 – Stage 0 Exploit files (index.html, Int64.js, offsets.js, utils.js).
  • [SHA256] 2c2471150aacc8443aa92a6063a848e8bb9dbcc8e369fb378c003d98bceaa728 – Int64.js (Stage 0).
  • [SHA256] 65dee715b928f07da356e8bce7a762b0ab4c140ebea63e4bd66c2eb85e0fa2dc, 87cd75344a6826feac6d21b053f6816700b4b349ffd397addb4e244633edcc42 – Stage1 Dropper hashes for 20004312341.png and related components.
  • [File] mac.zip, mac.zip XOR-decoded, update, update.plist, macversion.json, macmanifest.json – Core/plugin distribution and configuration artifacts used by LightSpy macOS.
  • [File] C40F0D27 (Core orchestrator) and related XOR-decoded forms – Core binary and plugin orchestrator hashes.

Read more: https://www.threatfabric.com/blogs/lightspy-implant-for-macos

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint