LightSpy's C2 communication is performed over WebSockets using the open source library SocketRocket with functionality such as, heartbeat, receiving commands, and updating command status.^[2]

LightSpy uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.^[2]

To collect data on the host's Wi-Fi connection history,LightSpy reads the/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file. It also utilizes Apple'sCWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.^[2]

LightSpy performs an in-memory keychain query viaSecItemCopyMatching() then formats the retrieved data as a JSON blob for exfiltration.^[2]

On macOS,LightSpy checks the existence of a process identification number (PID) file,/Users/Shared/irc.pid, to verify ifLightSpy is currently running.^[2]

To exfiltrate data,LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.^[2]

LightSpy uses theNSFileManager to move, create and delete files.LightSpy can also use the assemblybt instruction to determine a file's executable permissions.^[2]

On macOS,LightSpy downloads a.json file from the C2 server. The.json file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash.LightSpy retrieves the plugins specified in the.json file, which are compiled.dylib files. These.dylib files provide task and platform specific functionality.LightSpy also imports open-source libraries to manage socket connections.^[2]

To collect data on the host's Wi-Fi connection history,LightSpy reads the/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.^[2]

LightSpy's configuration file is appended to the end of the binary. For example, the last0x1d0 bytes of one sample is an AES encrypted configuration file with a static key of3e2717e8b3873b29.^[2]

LightSpy encrypts the C2 configuration file using AES with a static key, while the module.dylib files use a rolling one-byte encoding for obfuscation.^[2]

If sent the command16002,LightSpy uses theNSWorkspace runningApplications() method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications.^[2]

LightSpy uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses theAVCaptureStillImage to take a picture using the user's camera and theAVCaptureScreen to take a screenshot or record the user's screen for a specified period of time.^[2]

LightSpy's main executable and module.dylib binaries are loaded using a combination ofdlopen() to load the library,_objc_getClass() to retrieve the class definition, and_objec_msgSend() to invoke/execute the specified method in the loaded class.^[2]

If sent the command16001,LightSpy uses theNSFileManger contentsOfDirectoryAtPath() to enumerate the Applications folder to collect the bundle name, bundle identifier, and version information from each application'sinfo.plist file. The results are then converted into a JSON blob for exfiltration.^[2]

LightSpy's second stage implant uses theDeviceInformation class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.^[2]

LightSpy has used both HTTPS and Websockets to communicate with the C2.^[3][4][5]

LightSpy collects and compresses data to be exfiltrated using SSZipArchive.^[5][4]

LightSpy has captured environment audio, phone calls and Voice over IP (VoIP) calls.^{[6][1][3][4][5]}

LightSpy has established auto-start execution during the system boot process.^[4]

LightSpy has plugins for executing shell commands either from the C2 server or a library file calledzt.dylib.^[1][4][5]

LightSpy has accessed the device’s KeyChain data.^[1][4][7][5]

LightSpy has deleted media files and messenger-related files on the device.^[4] Additionally,LightSpy has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.^[5]

LightSpy has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.^{[1][3][4][7][5]}

LightSpy gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loadingindex.html, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a.png extension.^[6][7][5][4]

LightSpy has used the DeleteSpring plugin to render the device’s user interface inoperable by disabling SpringBoard, which is iOS's home screen manager.^[5]LightSpy has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameterauto-boot tofalse.^[5] Additionally,LightSpy has renamed the Wi-Fi daemon to disable wireless connectivity.^[5]

LightSpy has exfiltrated collected data to the C2.^[5]

LightSpy has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.^[7]

LightSpy uses the embeddedtime_waste function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a.dylib into theSpringBoard process, allowing persistent access to audio and video capture.^[5][4]

LightSpy has retrieved files from the C2 server.^[1][4] Examples of files from the C2 areamfidebilitate (jailbreak component),jbexec (executable to verify jailbreak),bb (FrameworkLoader),cc (launchctl binary for persistence),b.plist (configuration for auto-start), andresources.zip, which contains additional jailbreak-related components.^[5]

LightSpy has accessed the device’s GPS location.^[1][3][7][5]

LightSpy has masqueraded a Mach-O executable as a png file.^[4][5]

LightSpy's main executable and modules use native libraries to execute targeted functionality.^[3][1][5][4]

LightSpy uses thelandevices module to enumerate devices on the same WiFi network through active scanning.^[4][5][7]

LightSpy has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.^[3]

Using an XOR-chain algorithm,LightSpy decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key3e2717e8b3873b29.^[3][1][4][5] Additionally,LightSpy’s plugins have been encrypted during transmission.^[5]

LightSpy has delivered malicious links through Telegram channels and Instagram posts.^[6][7]

LightSpy has collected a list of running processes.^[4][5]

LightSpy injects libcynject.dylib into the SpringBoard process to enable audio/video recording.^[5]

LightSpy has accessed the device’s call log.^{[1][3][4][7][5]}

LightSpy has accessed the device’s contact list.^{[1][3][4][7][5]}

LightSpy has accessed SMS messages.^[1][3][4][5]

LightSpy has a plugin that can take screenshots.^[4][5]

LightSpy has sent and deleted SMS messages.^[3][4][5]

LightSpy has accessed a list of installed applications.^[1][3][4][5]

LightSpy has collected payment history from WeChat Pay.^[1][3][5]

LightSpy collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.^[5][4][3][1]

LightSpy has collected device information such as IMEI, phone number, MAC address and IP address.^[5]

LightSpy uses the WifiList (orlibWifiList) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.^[1][5][4][3]

LightSpy has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.^{[6][1][3][4][7]}

LightSpy has the ability to take one picture, continuous pictures or event-related pictures using the device’s camera.^{[6][1][3][4][5]} For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format.

^[1]