Recent discoveries have unveiled connections between two sophisticated surveillance tools - Android spyware DragonEgg and iOS surveillanceware LightSpy. Both have been associated with the Chinese nation-state group APT41.
Background on DragonEgg and LightSpy:
DragonEgg was initially reported in July 2023 by Lookout as malware capable of extracting sensitive data from Android devices. It was attributed to the APT41 group. LightSpy, on the other hand, came to light in March 2020, when Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware.
Attack Chains and Trojanized Telegram App:
The attack chains involve a trojanized Telegram app designed to download a second-stage payload (smallmload.jar), which then downloads a third component called Core. This Core module functions as an orchestrator plugin, responsible for various tasks including establishing contact with a remote server, gathering device fingerprints, and updating itself and the plugins.
LightSpy's Capabilities:
LightSpy is highly flexible in terms of configuration, allowing operators precise control over the spyware through an updatable configuration. It uses WebSocket for command delivery and HTTPS for data exfiltration. Notable plugins include location tracking, sound recording (capturing ambient audio and WeChat VOIP conversations), and bill module (gathering payment history from WeChat Pay).
Command-and-Control (C2) Infrastructure:
LightSpy's C2 infrastructure comprises servers located in Mainland China, Hong Kong, Taiwan, Singapore, and Russia. Interestingly, both LightSpy and WyrmSpy share the same infrastructure. Additionally, a server was identified hosting data from 13 unique phone numbers belonging to Chinese cell phone operators, indicating potential testing numbers or victims' data.
Links Between DragonEgg and LightSpy:
The connections between DragonEgg and LightSpy were identified through similarities in configuration patterns, runtime structure, plugins, and C2 communication format.
Conclusion:
The distribution of the initial malicious stage within a popular messenger app demonstrated a clever tactic by the threat actor group. This approach granted the implant all the access permissions of the carrier application, including private permissions like camera and storage access.
This discovery highlights the evolving sophistication of surveillance tools and the need for robust security measures to safeguard against such threats.
