InfoSecBulletin Cybersecurity for mankind
LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus and grow tensions in the region.
VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed
ALERT
Thousands of IP addresses compromised nationwide: CIRT warn
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
Technical Details:
Infection vector:
Based on previous campaigns, initial infection likely occurs through compromised news websites carrying stories related to Hong Kong.
Weaponization:
The attack involves a first-stage implant that gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.
Execution Chain:
The Loader starts by loading the encrypted and then decrypted LightSpy kernel. LightSpy is an espionage framework with a plugin system. The Loader loads these plugins, which extend the main LightSpy implant. The plugins are securely retrieved from the threat actor’s server in an encrypted format, decrypted, and then executed in the system environment.
The latest LightSpy campaign utilizes a versatile framework known as “F_Warehouse.” This framework exhibits a wide range of capabilities, enabling it to:
Exfiltrate files: Systematically search and steal files from the compromised mobile device.
Record audio: Covertly capture audio through the device’s microphone.
Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
Track user activity: Harvest browsing history data to monitor online behavior.
Application inventory: Gather details about installed applications on the device.
Capture images: Secretly take pictures using the device’s camera.
Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
Device enumeration: Identify and list devices connected to the compromised system. To read the full report click here.
