Threat Research

LightSpy Malware Variant Targeting macOS | Huntress

Securonix

LightSpy, long seen as iOS malware, has a newly documented macOS variant that targets macOS devices via a dropper that loads a series of dylibs and multiple plugins. The macOS implant uses a plugin manifest, AES-encrypted configuration, and WebSocket-based C2 communications, with detection rules published to aid defenders—while attribution discussions reference APT41. #LightSpy #APT41

Keypoints

  • The macOS variant of LightSpy is compiled for x86_64, indicating target on macOS rather than iOS (regardless of Rosetta 2).
  • Stage 1 (Dropper): downloads and runs the core dylib, uses a PID file to avoid multiple instances, appends an AES-encrypted configuration to the binary, and fetches a manifest (macmanifest.json) to load plugins.
  • Stage 2 (Implant): loads and maintains plugins, queries system information via a DeviceInformation interface, and communicates with a C2 using WebSockets.
  • Stage 3 (Plugins): a suite of 10 payloads (e.g., AudioRecorder, CameraShot, ScreenRecorder, FileManage, KeyChain, WifiList) enables targeted data collection and device interaction.
  • IOCs and defenses are provided (YARA/Sigma rules, and a primary C2 IP of 103.27.109.217), with prior work from Trend Micro, Kaspersky, and ThreatFabric informing the analysis.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The dropper downloads and runs the core implant dylib. “[The first stage loads the core implant…]”
  • [T1027] Obfuscated/Compressed Files and Information – Payloads and configuration are encrypted (AES with a static key) and decrypted by a rolling XOR routine. “[encrypted with AES with a static key…][rolling-type XOR]”
  • [T1082] System Information Discovery – The implant queries device information via the DeviceInformation class and notes macOS-specific results (e.g., 13.3 inches display) versus iOS data. “[collects a standard set of device information…]”
  • [T1071.001] Web Protocols – C2 communication is performed over WebSockets using SocketRocket, including heartbeats and command updates. “[Communication with the C2 is still performed over WebSockets…]”
  • [T1123] Audio Capture – The AudioRecorder plugin allows recording via the audio subsystem. “[Plugin: AudioRecorder (Plugin ID: 18000)]”
  • [T1113] Screen Capture – The ScreenRecorder plugin provides screen capture capability. “[ScreenRecorder (Plugin ID: 34000)]”

Indicators of Compromise

  • [IP] 103.27.109.217 – Primary C2
  • [Filename] loader – afd03337d1500d6af9bc447bd900df26786ea4a4, and 2 more hashes
  • [Filename] C40F0D27 – fd49866245721acc6e7431ec61b066696b72a1e1, and 2 more hashes
  • [Filename] soundrecord – 0563225dcc2767357748d9f1f6ac2db9825d3cf9
  • [Filename] browser – 476c726b58409a8e3e6cf8fb6bb7d46596917e24
  • [Filename] cameramodule – 33c39728a0393d4271f27cc1d85cf3c1610be333

Read more: https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint