APT 41 Used Android, iOS Surveillance Malware to Target APAC Victims Since 2018
Security researchers linked a surveillance toolkit called LightSpy to Chinese cyberespionage group APT41. The group used spam messages to convince users download a malicious WeChat application from third-party app stores.
See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack
Security researchers at ThreatFabric attributed use of LightSpy surveillance malware to the state-sponsored hacking group, also tracked as Wicked Panda. Unlike most threat actors, APT41has a history of using a variety of surveillance malware, compatible with iOS and Android devices. Cybersecurity firm Kaspersky detected LightSpy in 2020 in a watering hole attack targeting iOS users in Hong Kong.
LightSpy is capable of obtaining and exfiltrating accurate private information from victim devices to its command and control server. Information may include the precise location of the victim inside a building, payment data, call recordings and chat archives.
ThreatFabric said the malware contains dozens of plugins that feature surveillance and data exfiltration capabilities.
APT41 had been associated with web application attacks and software vulnerability exploitation but recently switched tactics to develop malware specific to mobile operating systems.
Cybersecurity company Lookout in July said the threat group, also tracked as Barium, Earth Baku and Winnti, used WyrmSpy and DragonEgg surveillance malware to target Android mobile devices (see: Chinese Threat Group APT41 Linked to Android Malware Attacks).
Researchers at ThreatFabric analyzed IP addresses, hashes and malware samples published by Lookout and concluded with high confidence that the same threat group was responsible for using the DragonEgg and LightSpy surveillance malware.
The C2 path of both malware versions contains the same unique identifier and the word “light,” and the two malware versions share the same configuration pattern and runtime structure. Their structure incorporates a “core” in which threat actors can add dynamically updatable modules supporting multiple functions.
The Android and iOS malware versions also sends JSON data to the server with the command ID and the execution server, featured similar API endpoints, and exfiltrates a list of Wi-Fi networks that were nearby to the same backend API endpoints.
According to ThreatFabric, the threat actors used an malicious version of WeChat to gain broad access permissions to a targeted device and used LightSpy to exfiltrate internal private information such as communications archive, contacts list and stored files.
The threat group has active servers in China, Singapore and Russia, and it primarily targeted victims in the Asia-Pacific region.
“LightSpy may access internal private information from messenger including communications archive, contacts list and stored files, which is extremely important in case superuser privileges are unavailable on the device,” the firm said. “We assume that such a technique when messengers are carriers of malicious code is extremely dangerous as well as hardly detectable.”