Back

LightSpy: Implant for macOS

May 30, 2024, 11:31 a.m.

Tags

lightspy
exploit
macos
2024-05-30

External References

https://www.threatfabric.com/

https://otx.alienvault.com/

Description

A technical analysis reveals details about LightSpy, a sophisticated surveillance framework that targeted macOS devices using publicly available exploits. The report provides insights into the threat actor's tactics, including exploiting vulnerabilities to deliver implants, exfiltrating private data through various plugins, and maintaining persistent access to infected systems. The analysis uncovers the attack chain, malware capabilities, administration panel, and potential victimology.

Date

Published Created Modified
May 30, 2024, 11:29 a.m. May 30, 2024, 11:29 a.m. May 30, 2024, 11:31 a.m.

Indicators

ff4332365b1628f88bc84bec102b534e5a6e9a32b2fc61dd43c951a338f976d8

fcd864b79d6108c7e6615a5e1202669098ea34ab431624f6b0ab762229937552

fbd3f8c8f4b2f4a0c73855e35f96797ef3c5aa6fa11d89081cdacd942e18c933

e3735950775fbdae7bbcc4a49c09372f605ae021fff8ff32340c794af14a7e47

db3b7989f6c410a43c839a933343a66f706c6ad65c2031b628b059a8df774038

cf709c7b4c68e6d81f8239b4275dac8eb0b026f05934b81867e645dd389d65fb

c984bbdcdff4d84fb5e07924cc94ad44da153865d444652e8676dc9751e121f7

c6bad1ef115cacd81fa00a235f7ffd34c187e5b05bf9bcf500f7639b632f1480

ba4d77387c7b5761893ca2b1e75b2d05733d3fbfb1bb3a2bad81cfc8f641545b

adf5a55988a457a8de234b652eae8fd2a0f0c2187cb9ede28ee5e22aba252d70

9b58e3a82b14e329dab6108a5f25d20edd50cac95072dac420c94718ed8c1764

9aae47b5c3673e7dd3f542913f91abbea3cc93f01275583169e33f6e1e443260

97607d1b12d7234a42a62cdff4d6a7b2b5b93bf38d827b9e4448b0d7bd5da464

8d729aa29db506f1abe4ed8ab7406e0017dc3f5fc1b3c7c8e7b59af41f07c650

8a4f8a755ca123e9c3aa77b525f59ce99f1f2e288afc2e29afb6d15573776a16

848e4e30987d526413d80c450652d4cef55d931c932edd722c1055b8b1450502

7ed786a259982cce0fad8a704547c72690970145b9587d84ee6205b7c578b663

768f1cb8b8ac45c6e854f0320f833367cf7aa69279fd82aa1a6c3bc3d765ce7e

75a571d33a7c11fb5515a08a46fcb67dabbcb3fd4cbf69894ab82e394e68679c

65dee715b928f07da356e8bce7a762b0ab4c140ebea63e4bd66c2eb85e0fa2dc

4e7c9bd8c623d7de9dc225fbdc9305f32c961f473acb99256012ccf6d45ba494

4cbc70b1c7d4ccc593fad895299e88a6734c8f4687f37f43850996f7fa076df9

47719e45d14c9700928979cdb33fe0b58677d2566bc0848de7858c2f05566d76

4607dfdd78fcb8d6bf94ecc34cf125f20e4ea94ac9fce002d9e7cd7956a707dd

2c2471150aacc8443aa92a6063a848e8bb9dbcc8e369fb378c003d98bceaa728

2b4fbd5aa06f70d84091d2f7cca4bd582237f1a1084835c3c031a718b6e283f9

23d0b9ae73145106cffe56719526801e024092cd6d25b9628ae3d9995b0b5395

22b0f53bb7ff5047b2d2f77f9cc4f1a503bde2fa2b279fa999e48fb656c42782

21b099c7eadd1d6895e025f670fc660769e617794400f35c52b4726fc546cb68

1d499c401d8854b6331d3b531fc57418dd2b132861e0448ae198dcbea41484ab

048ab442a2617f37c3145c0c2bdda057baa09e017a29e649f17d43c95a34e69f

fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835

d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63

ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6

65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883

5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5

4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4

4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f

3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d

18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a

0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c

0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144

103.27.109.217

Attack Patterns

T1146

T1109

T1556

T1119

T1064

T1110

T1213

T1555

T1592

CVE-2018-4404

CVE-2018-4233