LightSpy macOS Version Discovered: What You Need to Know

A recent discovery has revealed a macOS version of the notorious LightSpy surveillance framework, previously known for targeting Android and iOS devices. This finding confirms that LightSpy’s reach extends beyond mobile devices, posing a new threat to macOS users. Find out all the details below!

LightSpy’s Expanding Threat Landscape

LightSpy is a complex surveillance tool used to steal a wide range of data from compromised devices. It can extract files, capture screenshots, log location data, record voice calls on WeChat, and siphon payment information from WeChat Pay. It also targets data from Telegram and QQ Messenger.

The attackers behind LightSpy have primarily focused on victims in the Asia–Pacific region. According to a recent report by ThreatFabric, the macOS version has been active in the wild since January 2024. Currently, its activity seems limited to testing environments and a few machines used by cybersecurity researchers.

How LightSpy Compromises macOS Devices

To infiltrate macOS, LightSpy exploits known WebKit vulnerabilities, specifically CVE-2018-4233 and CVE-2018-4404. These flaws allow the spyware to execute code within Safari on macOS 10.13.3 and earlier versions.

The infection process begins with a 64-bit MachO binary disguised as a PNG image file (“20004312341.png”). Once delivered to the target device, this file decrypts and executes embedded scripts that fetch the second stage of the payload.

The second stage involves downloading several components:

• A privilege escalation exploit (“ssudo”).
• An encryption/decryption utility (“ddss”).
• A ZIP archive (“mac.zip”) containing two executables (“update” and “update.plist”).

These files are decrypted and unpacked by a shell script, which then gains root access on the infected device and establishes persistence by configuring the “update” binary to run at startup.

LightSpy macOS variant infection chain (Source: ThreatFabric)

The process continues with a component known as “macircloader,” responsible for downloading, decrypting, and executing the LightSpy Core. This core module manages plugins and maintains communication with the command and control (C2) server. It can execute shell commands, update network configurations, and set activity schedules to avoid detection.

Plugins Used by LightSpy

The macOS version of LightSpy uses a variety of plugins to perform specific surveillance functions. While the Android variant uses 14 plugins and the iOS version uses 16, the macOS implant uses ten.

Plugin	Description
soundrecord	Captures audio from the device’s microphone.
browser	Extracts browsing data (such as visited websites) from web browsers.
cameramodule	Takes photos using the device’s camera without the user’s knowledge.
FileManage	Manages and exfiltrates files, particularly from messaging apps.
keychain	Retrieves sensitive data in the macOS Keychain.
LanDevices	Identifies and collects details about devices on the same local network.
softlist	Lists all installed applications and running processes on the system.
ScreenRecorder	Records all the screen activity of your device.
ShellCommand	Executes various shell commands on the infected device.
wifi	Gather information on Wi-Fi networks the device connects to.

These plugins enable LightSpy to conduct thorough surveillance and data exfiltration from infected macOS systems, making it a versatile tool for attackers.

Potential Threats Beyond macOS

ThreatFabric’s report also indicated the existence of LightSpy implants for Windows, Linux, and routers, though the specifics of their deployment and use in attacks remain unclear. 

While the full scope of LightSpy’s capabilities is still under investigation, this discovery highlights the growing sophistication of surveillance tools and the need for robust cybersecurity measures across all platforms.

Stay vigilant and ensure your systems are up-to-date to protect against such threats. The discovery of the LightSpy macOS variants serves as a reminder of the evolving landscape of cybersecurity risks.