Banking security firm ThreatFabric has found evidence that LightSpy, an iPhone spyware discovered in 2020, is more sophisticated than previously reported and could be linked to the infamous Chinese-sponsored threat group APT41.
During the investigation, ThreatFabric researchers discovered new features in the LightSpy malware. The spyware was first used in a watering hole attack against iOS users in Hong Kong in January 2020.
These new features include 14 plugins responsible for private data exfiltration and a core implant that supports 24 commands, including the ability to gather device fingerprints, establish a full connection with the threat actor’s command-and-control (C2) server, and retrieve orders from the server.
What Is LightSpy Spyware?
Three of the 14 LightSpy plugins were of particular significance to the researchers. These are:
- Location module plugin, responsible for tracking users' current location via snapshots taken during specific time intervals.
- Sound record plugin which can start a microphone recording, even during incoming phone calls. Furthermore, the plugin can record WeChat VoIP audio conversations using a native library called libwechatvoipCoMm[dot]so.
- Bill plugin: This plugin is responsible for stealing the payment history of WeChat Pay, which includes the last bill ID, bill type, transaction ID, date, and payment processing flag.
These findings led the ThreatFabric researchers to conclude that LightSpy was linked to DragonEgg, an Android spyware implant discovered by Lookout in July 2023 and attributed to the Chinese cyber espionage group APT41.
This is the first time there has been a connection observed between LightSpy and APT41.
It was also discovered that LightSpy’s infrastructure contains dozens of servers in mainland China, Hong Kong, Taiwan, Singapore and Russia. The group’s primary targets are estimated to be located in the Asia-Pacific region.
“LightSpy was a fully-featured modular surveillance tool set with a strong focus on victim private information exfiltration such as fine location data (including building floor number), sound recording during VOIP calls [and] payment data exfiltration from WeChat Pay backend infrastructure,” reads the report.
ThreatFabric researchers believe that WyrmSpy (aka AndroidControl), another spyware discovered in July 2023 alongside DragonEgg, shares the same infrastructure as LightSpy and “could be its successor.”
Who Are APT41?
APT41 is a hacking group formed in 2012 with alleged ties to the Chinese Ministry of State Security (MSS). It is also known as BARIUM, Double Dragon, Wicked Panda and Wicked Spider.
APT41 stands out from the rest of the cyber threat landscape as it conducts both state-sponsored cyber espionage campaigns and financially motivated cybercrime heists.
Although this is also the case for most North Korean threat groups, the rationale behind APT41 is different. The group only performs financially motivated cyber-attacks in its downtime and without state authorization while spending most of its time deploying espionage operations supported by the Chinese regime – an approach known as "moonlighting."
Read more: Chinese Cyber Power Bigger Than the Rest of the World Combined