Back

LightSpy Malware Variant Targeting macOS

May 1, 2024, 11:07 p.m.

Tags

lightspy
macos
dropper
implant
plugins

External References

https://www.huntress.com/

https://otx.alienvault.com/

Description

This report details the discovery of a macOS variant of the LightSpy malware, previously known to target iOS and Android devices. The macOS implant consists of a dropper that downloads and runs a core implant dylib, which in turn loads various plugins to accomplish malicious tasks. The report provides a technical analysis of the malware components, including the droppers, implants, and plugins, highlighting key differences from the iOS version. It also discusses the communication with the command-and-control (C2) server and the data collection capabilities of the malware. The report aims to raise awareness about the evolving threats targeting the macOS platform.

Date

Published Created Modified
April 29, 2024, 6:41 p.m. April 29, 2024, 6:41 p.m. May 1, 2024, 11:07 p.m.

Indicators

fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835

d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63

ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6

65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883

5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5

4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4

4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f

3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d

18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a

0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c

0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144

103.27.109.217

Attack Patterns

LightSpy

APT 41

T1598.001

T1592.003

T1592.001

T1071.002

T1001.003

T1588.001

T1592.002

T1003.002

T1003.001

T1497.001

T1071.001

T1070.004

T1562.001

T1070

T1083

T1033