LightSpy Monitoring Framework Discovered for macOS

TapTechNews May 31 news, the network security company ThreatFabric released a report on May 29, discovering the macOS version of the LightSpy monitoring framework, indicating that the behind-the-scenes developers have begun to expand the attack range and scrape relevant data on Apple Mac devices.

The LightSpy monitoring framework was previously limited to Apple's iOS and Google's Android systems. It is a modular monitoring framework used to steal various data in devices, including files, screenshots, location data (including building floors), voice recordings during WeChat calls, payment information of WeChat Pay, and other data of Telegram and QQ.

ThreatFabric's report stated that at least in January of this year, a case of macOS implant attack was discovered, indicating that hackers have already used this framework to launch attacks against Apple Mac devices.

The report said that the LightSpy monitoring framework mainly exploits the WebKit vulnerabilities with tracking numbers CVE-2018-4233 and CVE-2018-4404 to trigger code execution in the Safari browser, mainly targeting macOS 10.13.3 and earlier versions.

TapTechNews briefly introduces the following steps of the framework's exploitation:

In the first stage, a 64-bit MachO binary disguised as a PNG image file (20004312341.png) is transferred to the device, decrypted and executes the embedded script to obtain the content of the second stage.

In the second stage, the payload downloads a privilege escalation vulnerability (ssudo), an encryption/decryption utility (dsds), and a ZIP archive (mac.zip), which contains two executable files (update and update.plist).

Ultimately, the shell script decrypts and unpacks these files to gain root access to the compromised device and establishes persistence in the system by configuring the update binary to run at startup.