Summary:
Cybersecurity researchers have discovered a resurfaced cyber espionage campaign targeting users in South Asia to deliver an Apple iOS spyware implant called LightSpy. LightSpy is a sophisticated iOS implant, first reported in 2020 by Trend Micro in connection with a watering-hole attack against Apple device users amid escalating political tensions in Hong Kong distributed through “poisoned” news sites. Specifically, it is a fully-featured modular surveillance toolset that primarily focuses on exfiltrating victims’ private information, including hyper-specific location data and sound recording during voice over IP (VOIP) calls. LightSpy has expanded its capabilities to include file theft from popular messaging apps, secret recording of audio from a device, the harvesting of device camera data, browser history, and WiFi connections, and the potential for shell command injection. Based on evidence such as code comments and error messages, the attackers are strongly suspected to be native Chinese speakers. Another indicative piece of evidence reinforcing that this campaign is of Chinese origin is a Chinese warning message displayed when providing incorrect login credentials into LightSpy’s operator panel. Though mobile spyware is hyper-targeted, typically deployed against journalists, activists, politicians, and diplomats, it can still have global implications.

Although the initial intrusion vector is presently unknown, based on the previous LightSpy campaign it's suspected to be via compromised news websites known to be visited by targets. The campaign involves a multi-stage attack that begins by gathering device information and then downloading further stages to continue the attack chain. The loader retrieves plugins that extend the main implant’s functionality. The operators have a particular interest in secure messaging platforms and documents containing sensitive information. In addition to its reconnaissance abilities, LightSpy can use one of its plugins to execute shell commands and take full control of a victim’s device, making it even more dangerous.

Security Officer Comments:
LightSpy is particularly dangerous to victims, with a myriad of consequences especially relating to a threat actor being able to locate their target with deadly accuracy. One of the capabilities of LightSpy is a plugin that can harvest data from WeChat, a platform that is most popular in China, Malaysia, India, Russia, Japan, South Korea, the US, and Indonesia. The majority of users reside in South Asia countries which underscores that this LightSpy campaign has a targeted approach that is most effective in that specific region. This malware’s revival paired with the targeted nature of this campaign and the attackers suspected Chinese origins could suggest the campaign’s motivation is to cause geopolitical implications. This adds gravitas to the cautionary warnings many technology firms have published in recent months regarding the looming danger of state-sponsored efforts to manipulate electoral outcomes.

Suggested Corrections:
The BlackBerry Threat Research and Intelligence Team recommends: