The return of LightSpy malware has prompted warnings from security experts about the potential risk to businesses running macOS devices.
LightSpy malware first rose to prominence in 2020, but this variant only targeted iOS devices, while new research claims this new version was designed to compromise Apple desktops.
The updated version of LightSpy was initially discovered by Blackberry, but the security and IoT company claimed the malware was still targeting mobile devices, while a later report from SMB security specialist Huntress claimed this was incorrect and the new version actually affects makes Apple’s desktop operating system.
Huntress reportpublished on April 25, 2024, disputed Blackberry’s claim, arguing that the sample mentioned by Blackberry only targets the macOS platform.
As evidence, Huntress pointed to the fact that the sample binaries were all compiled for the x86_64 architecture, which excludes the ARM architecture used in iPhones.
Huntress also disputed Blackberry’s claims that the new threat campaign primarily targets individuals in South Asia, arguing that this claim is based solely on the fact that the malware sample was downloaded in India.
For the avoidance of doubt, Huntress’ Stuart Ashenbrenner and Alden Schmidt tested this by running the “file” command on the macOS and iOS examples.
Ashenbrenner and Schmidt found that although the structure of the implant is the same in both variants, the macOS version appears more refined than the iOS version.
Both versions used a dropper to load a series of dynamically loaded modules (dylibs), similar to DLLs in Windows, which are responsible for most of the malware’s malicious capabilities.
But the report notes that the new version of LightSpy offers significantly improved operational security (opsec), more mature development practices and generally better organization.
For example, the iOS version stored its C2 information in plain text, while its MacOS counterpart uses a plugin manifest which should help prevent static detections.
What Businesses Need to Know About LightSpy Malware
In its weekly threat report, security company Check Point said The spyware’s resurgence indicates “an escalation of cyber threats against macOS users”, highlighting the sophisticated techniques it uses such as payload encryption and dynamic module loading.
Huntress said Apple was clearly aware of this high threat level and had introduced a number of new features to try to shore up the platform, including a lockdown mode that would reduce functionality to limit the attack surface. of the target.
Apple also recently brought in additional restrictions for its Transparency Consent and Control (TCC) framework, which manages access to sensitive data stored on macOS devices.
Huntress has included some detection opportunities for businesses looking to protect their devices, providing a comprehensive list of Indicators of Compromise (IOCs) for all key elements of the updated variant.
Ashenbrenner and Schmidt also created a number of rules for the YARA and Sigma detection tools to help businesses freely detect essential elements of the macOS LightSpy variant, including implant, loader, and dylibs.
This includes a private rule to help reduce detections to sexist binaries, and companies should remember that without this private rule in place, other rules will not work.