Cybersecurity experts have discovered an advanced macOS variant of the LightSpy spyware, previously known for targeting iOS users.
Research teams uncovered this previously undocumented variant, revealing that the LightSpy framework is capable of infecting multiple platforms, including Android, iOS, Windows, macOS, Linux, and various routers.
The attackers utilized publicly available exploits (CVE-2018-4233 and CVE-2018-4404) to deploy the macOS implants, targeting macOS version 10 with parts of the exploit derived from the Metasploit framework.
LightSpy, first reported in 2020, was initially linked to the DragonEgg Android surveillance tool. Recently, BlackBerry highlighted a cyber espionage campaign in South Asia involving an iOS variant of LightSpy, which has now been confirmed to have a sophisticated macOS counterpart utilizing a plugin-based system to gather extensive information.
Researcher noted that while the spyware sample was uploaded to VirusTotal from India, it does not necessarily indicate an active campaign in that region. The macOS variant has been in use since January 2024, primarily affecting about 20 test devices.
The infection process begins with exploiting a Safari WebKit flaw (CVE-2018-4233) through malicious HTML pages, leading to the delivery of a disguised 64-bit Mach-O binary. This binary extracts and runs a shell script, which fetches additional payloads: a privilege escalation exploit, an encryption/decryption utility, and a ZIP archive. The script assigns root privileges to these components, ensuring persistence across system reboots.
The macOS version of LightSpy supports 10 plugins for various surveillance activities, including capturing audio, taking photos, recording screen activity, harvesting files, executing shell commands, and extracting browser and iCloud Keychain data. Additional plugins can capture network information, including details about connected devices and nearby Wi-Fi networks.
Researcher also discovered a misconfiguration that allowed access to the command-and-control (C2) panel, providing insight into the victims and associated data. The threat actors focused on intercepting victim communications, including messenger conversations and voice recordings, and designed a specialized network discovery plugin for macOS to identify nearby devices.
This discovery coincides with recent attacks targeting Android devices with banking trojans like BankBot and SpyNote, as well as Pegasus spyware attacks on journalists and activists in Eastern Europe.
To prevent infection by the LightSpy spyware, users should ensure their macOS devices are updated with the latest security patches. It is crucial to avoid clicking on suspicious links or downloading attachments from untrusted sources. Organizations should conduct security awareness training to educate employees on identifying and mitigating phishing attempts and other cyber threats.