LightSpy

Overview

Recently, news broke of a watering hole attack utilizing a fully remote iOS exploit chain to deploy a malware family known as LightSpy on iOS devices up to version 12.2. Dubbed Poisoned News, the campaign was also discovered to use similar capabilities to exploit Android devices using malware named dmsSpy. The goal is to compromise as many mobile devices as possible for surveillance of citizens in Hong Kong. The campaign has been attributed to a new APT group called TwoSail Junk.

‍

Analysis

Like all watering-hole campaigns, this one leverages malicious websites that trick visitors with targeted content. This campaign posts links on multiple online forums that draw interest from Hong Kong residents, and leads them to some sites that were created specifically for this campaign and others that are legitimate but were compromised by the malicious actors. For example, the original watering hole site seen in January was meant to mimic a well-known Hong Kong newspaper called Daily Apple.

Using topics such as Coronavirus or general clickbait, the links would lead the user to legitimate-looking websites that leveraged a Safari bug that allows for exploitation of the well-known vulnerability CVE-2019-8605, which allows iOS devices to be jailbroken, but was patched by Apple in the next software update. In this case, LightSpy allows the attacker to remotely execute shell commands in order to manipulate device files. Other functionalities include the extracting contacts, the Keychain, SMS messages, GPS location, browsing history, and local network IP addresses. It can also leverage modules that exfiltrate data from popular messaging platforms.