LightSpy: Implant for macOS

May 30, 2024, 11:31 a.m.

Description

A technical analysis reveals details about LightSpy, a sophisticated surveillance framework that targeted macOS devices using publicly available exploits. The report provides insights into the threat actor's tactics, including exploiting vulnerabilities to deliver implants, exfiltrating private data through various plugins, and maintaining persistent access to infected systems. The analysis uncovers the attack chain, malware capabilities, administration panel, and potential victimology.

External References

https://www.threatfabric.com/blogs/lightspy-implant-for-macos
https://otx.alienvault.com/pulse/66586313ea90a531d2a34463
Tags
lightspy
exploit
macos
2024-05-30

Date

  • Created: May 30, 2024, 11:29 a.m.
  • Published: May 30, 2024, 11:29 a.m.
  • Modified: May 30, 2024, 11:31 a.m.

Indicators

  • ff4332365b1628f88bc84bec102b534e5a6e9a32b2fc61dd43c951a338f976d8
  • fcd864b79d6108c7e6615a5e1202669098ea34ab431624f6b0ab762229937552
  • fbd3f8c8f4b2f4a0c73855e35f96797ef3c5aa6fa11d89081cdacd942e18c933
  • e3735950775fbdae7bbcc4a49c09372f605ae021fff8ff32340c794af14a7e47
  • db3b7989f6c410a43c839a933343a66f706c6ad65c2031b628b059a8df774038
  • cf709c7b4c68e6d81f8239b4275dac8eb0b026f05934b81867e645dd389d65fb
  • c984bbdcdff4d84fb5e07924cc94ad44da153865d444652e8676dc9751e121f7
  • c6bad1ef115cacd81fa00a235f7ffd34c187e5b05bf9bcf500f7639b632f1480
  • ba4d77387c7b5761893ca2b1e75b2d05733d3fbfb1bb3a2bad81cfc8f641545b
  • adf5a55988a457a8de234b652eae8fd2a0f0c2187cb9ede28ee5e22aba252d70
  • 9b58e3a82b14e329dab6108a5f25d20edd50cac95072dac420c94718ed8c1764
  • 9aae47b5c3673e7dd3f542913f91abbea3cc93f01275583169e33f6e1e443260
  • 97607d1b12d7234a42a62cdff4d6a7b2b5b93bf38d827b9e4448b0d7bd5da464
  • 8d729aa29db506f1abe4ed8ab7406e0017dc3f5fc1b3c7c8e7b59af41f07c650
  • 8a4f8a755ca123e9c3aa77b525f59ce99f1f2e288afc2e29afb6d15573776a16
  • 848e4e30987d526413d80c450652d4cef55d931c932edd722c1055b8b1450502
  • 7ed786a259982cce0fad8a704547c72690970145b9587d84ee6205b7c578b663
  • 768f1cb8b8ac45c6e854f0320f833367cf7aa69279fd82aa1a6c3bc3d765ce7e
  • 75a571d33a7c11fb5515a08a46fcb67dabbcb3fd4cbf69894ab82e394e68679c
  • 65dee715b928f07da356e8bce7a762b0ab4c140ebea63e4bd66c2eb85e0fa2dc
  • 4e7c9bd8c623d7de9dc225fbdc9305f32c961f473acb99256012ccf6d45ba494
  • 4cbc70b1c7d4ccc593fad895299e88a6734c8f4687f37f43850996f7fa076df9
  • 47719e45d14c9700928979cdb33fe0b58677d2566bc0848de7858c2f05566d76
  • 4607dfdd78fcb8d6bf94ecc34cf125f20e4ea94ac9fce002d9e7cd7956a707dd
  • 2c2471150aacc8443aa92a6063a848e8bb9dbcc8e369fb378c003d98bceaa728
  • 2b4fbd5aa06f70d84091d2f7cca4bd582237f1a1084835c3c031a718b6e283f9
  • 23d0b9ae73145106cffe56719526801e024092cd6d25b9628ae3d9995b0b5395
  • 22b0f53bb7ff5047b2d2f77f9cc4f1a503bde2fa2b279fa999e48fb656c42782
  • 21b099c7eadd1d6895e025f670fc660769e617794400f35c52b4726fc546cb68
  • 1d499c401d8854b6331d3b531fc57418dd2b132861e0448ae198dcbea41484ab
  • 048ab442a2617f37c3145c0c2bdda057baa09e017a29e649f17d43c95a34e69f
  • fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835
  • d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63
  • ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6
  • 65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883
  • 5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5
  • 4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4
  • 4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f
  • 3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d
  • 18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a
  • 0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c
  • 0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144
  • 103.27.109.217
Download all indicators here!

Attack Patterns

  • T1146
  • T1109
  • T1556
  • T1119
  • T1064
  • T1110
  • T1213
  • T1555
  • T1592
  • CVE-2018-4404
  • CVE-2018-4233