After being used to target iPhones and Android smartphones, the LightSpy spyware is now capable of going after the best MacBooks following the release of an updated version of the surveillance framework.
As reported by BleepingComputer, LightSpy is modular spyware that can steal all sorts of data from its victims including their files, screenshots, location data and more. Up until recently, it was only used to target the best phones and other mobile devices.
Now though, according to a new report from ThreatFabric, a macOS version of LightSpy has been making the rounds online since at least the beginning of this year. Fortunately, it’s still very much in the testing phase.
Here’s everything you need to know about LightSpy along with some tips on how you can stay safe from spyware in general.
Using old flaws to attack Macs
By exploiting a misconfiguration in LightSpy’s control panel, ThreatFabric’s researchers were able to gain unauthorized access to its interface which let them learn more about how the spyware works, its infrastructure and the devices it has infected so far.
In order to surveil Macs using LightSpy, the hackers behind the spyware have been using older security flaws in WebKit (tracked as CVE-2018-4233) and Safari (tracked as CVE-2018-4404) to target macOS version 10.13.3 and earlier.
While a bit technical, the hackers use a 64-bit MachO binary disguised as a PNG image file to execute scripts that then download a second stage payload which contains more exploits and tools to help them gain root access and establish persistence on vulnerable Macs.
From there, they download and execute LightSpy Core on the infected machine, which serves as a central plugin management system for the spyware framework. It also allows for communication between the spyware and a hacker-controlled command and control (C&C) server.
Extracting data using plugins
Unlike with other malware and spyware strains that need to be completely rebuilt to target new devices, LightSpy uses plugins instead. This way new plugins can easily be created and added to the spyware to perform specific actions on compromised devices.
While LightSpy uses 14 plugins on Android and 16 plugins on iPhone, the new macOS version only uses ten. Here’s what they are and what they can do:
- Soundrecord - A sound recording plugin used to capture audio from a Mac’s microphone
- Browser - a data extraction plugin used to steal browsing data from Chrome, Safari and other popular browsers
- Cameramodule - A camera shooting plugin that lets LightSpy take photos using a Mac’s camera
- FileManage - A file exfiltration plugin used to steal files from a Mac itself and from many popular messaging apps like Telegram, WeChat and QQ Messenger
- Keychain - An exfiltration plugin used to steal sensitive data stored on a Mac’s Keychain
- LanDevices - An exfiltration plugin used to identify and gather info on devices on any local network an infected Mac is connected to
- Softlist - A software exfiltration plugin that lists all installed apps and any running processes on a Mac
- ScreenRecorder - A screen recording exfiltration plugin that can record any content on a Mac’s screen
- ShellCommand - A remote shell plugin used to execute shell commands on an infected Mac
- Wifi - An exfiltration plugin that collects data on Wi-Fi networks a Mac is connected to
These are all of the plugins currently used in the Mac version of LightSpy but more could easily be added later. Also, during its investigation, ThreatFabric found references to versions of the spyware for Windows, Linux and Wi-Fi routers but it could not determine how or if they are currently being used in attacks.
How to stay safe from spyware
Spyware remains a dangerous threat that you need to be on the lookout for but unlike with other malware strains, hackers typically only use it when going after high-profile targets like CEOs, politicians and other government officials.
Still though, in order to stay safe from spyware, the first and most important thing you can do is to keep your devices updated and running the latest software. This is because Apple frequently patches iPhone and Mac zero-day flaws which hackers then exploit to install spyware on vulnerable devices. For instance, in this LightSpy campaign targeting Macs, the hackers behind it are using two flaws from 2018 which have been fixed for years now. Cybercriminals love to go after users that haven’t updated their devices yet, so don’t make things easier for them by failing to update your devices in a timely manner.
From here, you should consider using the best Mac antivirus software to help keep your Apple computer safe from spyware and other viruses. macOS does have its own built-in malware scanner in the form of XProtect but paid antivirus software often comes with useful extras like a VPN or password manager to help keep you even safer online.
I seriously doubt this is the last time we’ll hear about the LightSpy spyware which is why you need to be extra careful when opening attachments, clicking on links in emails or messages or downloading files online. With good cyber hygiene and an antivirus, you should be safe from most threats, especially if you take the time to think things through instead of letting your emotions get the best of you.
