Cybersecurity researchers have uncovered a new cyber espionage campaign targeting users in South Asia with the purpose of delivering an Apple iOS spyware implant known as LightSpy.
“The latest version of LightSpy, named ‘F_Warehouse,’ comes with a modular framework featuring extensive spying capabilities,” the BlackBerry Threat Research and Intelligence Team explained in a recently published report.
Evidence suggests that the campaign may have focused on India based on submissions from within the country on VirusTotal.
Initially identified in 2020 by Trend Micro and Kaspersky, LightSpy is an advanced iOS backdoor distributed through watering hole attacks on compromised news sites.
An analysis by ThreatFabric in October 2023 revealed similarities between the malware and an Android spyware named DragonEgg, associated with the Chinese nation-state group APT41 (Winnti).
The initial infection vector is currently unknown but is suspected to be through breached news websites frequently visited by the targets.
The spyware starts with a loader that serves as a launchpad for the core backdoor and its plugins, retrieved from a remote server for data gathering.
LightSpy is a comprehensive spyware that can gather sensitive information like contacts, SMS messages, location data, and audio recordings during VoIP calls.
The latest version can also steal files, data from messaging apps, iCloud Keychain data, and browser history from popular browsers.
It can collect information about Wi-Fi networks, installed apps, take pictures, record audio, and execute commands, potentially taking control of infected devices.
The spyware uses certificate pinning to evade detection and interception of communication with its command-and-control server.
The source code indicates the involvement of native Chinese speakers, hinting at state-sponsored activity. LightSpy communicates with a server located at 103.27[.]109[.]217.
Apple recently notified users in 92 countries, including India, about potential spyware attacks.
“The return of LightSpy, now equipped with the versatile ‘F_Warehouse’ framework, signals an escalation in mobile espionage threats,” BlackBerry noted.
“The advanced capabilities of the spyware pose a serious risk to individuals and organizations in Southern Asia.”
