LightSpy malware has made a comeback, and this time it's coming after your macOS devices

The return of LightSpy malware has prompted warnings from security experts over the potential risk to businesses running macOS devices. 

LightSpy malware first rose to prominence in 2020, but this variant only targeted iOS devices, whereas new research claims this new version was built to compromise Apple’s desktop machines.

The updated version of LightSpy was initially discovered by Blackberry, but the security and IoT company claimed the malware still targeted mobile devices, whereas a later report by SMB security specialist Huntress claimed this was incorrect and the new version in fact affects Apple’s desktop operating system.

Huntress’ report, issued on 25 April 2024, challenged Blackberry’s assertion, arguing the sample referred to by Blackberry only targets the macOS platform. 

By way of evidence, Huntress pointed to the fact that the sample’s binaries were all compiled for the x86_64 architecture, which precludes the ARM architecture used in iPhones.

Huntress also contested Blackberry’s claims the new threat campaign is predominantly targeting individuals in Southern Asia, arguing this claim is based solely on the fact that the malware sample was uploaded in India.

To remove any doubt, Stuart Ashenbrenner and Alden Schmidt of Huntress tested this by running the ‘file’ command against the macOS and iOS samples.

Ashenbrenner and Schmidt found that although the structure of the implant is the same in both variants, the macOS version appears to be more refined than the iOS version. 

Both versions used a dropper to load a series of dynamically loaded modules (dylibs), similar to DLLs on Windows, which are responsible for most of the malware’s malicious capabilities.

But the report noted the new version of LightSpy boasts significantly improved operational security (opsec), more mature development practices, and generally better organization.

For example, the iOS version stored its C2 information in plaintext, whereas its MacOS counterpart uses a plugin manifest which should help prevent static detections.

What businesses need to know about LightSpy malware

In its weekly threat intelligence report, security firm Check Point said the spyware’s resurgence indicates “an escalation in cyber threats against macOS users”, noting the sophisticated techniques it is employing such as payload encryption and dynamic module loading.

Huntress said Apple is clearly aware of this elevated threat level and has introduced a number of new features to try and shore up the platform, including a Lockdown Mode that will reduce functionality to limit the target’s attack surface.

Apple also recently brought in additional restrictions for its transparency consent and control (TCC) framework, which manages access to sensitive data stored on macOS devices.

Huntress included some detection opportunities for businesses looking to safeguard their devices, providing a full list of the indicators of compromise (IOC) for all of the key elements of the updated variant.

Ashenbrenner and Schmidt also created a number of rules for the YARA and Sigma detection tools to help businesses freely detect core parts of the macOS LightSpy’s variant including the implant, loader, and dylibs. 

This includes a private rule to assist in paring down detections to Macho binaries, and businesses should remember that without this private rule in place the other rules will not run.