“Operation Poisoned News” infecting iPhones with LightSpy spyware

The operation uses “Local News Websites” to spread spyware infection. Here’s what’s going on and how.

The operation uses “Local News Websites” to spread spyware infection.

Cybersecurity firms Kaspersky and Trend Micro have uncovered a malicious new campaign involving the installation of the “feature-rich implant” LightSpy malware using links on local news sites. The campaign has been named Operation Poisoned News and it is targeting iPhone users mainly in Hong Kong for now.

It is a watering-hole campaign in which cybercriminals are exploiting iOS 12.1 and 12.2 vulnerabilities for installing spyware to collect sensitive private data/information as well as to gain control of the device remotely.

This campaign was identified on 10 January 2020 in which victims are trapped into clicking on malicious links, which although take users to the actual website but its links are infected with LightSpy and posted by scammers on different forums of local news stories to hunt for victims.

List of news topics posted by the campaign and forum post with the link to a malicious site:

Image: Trend Micro

Our research also uncovered a similar campaign aimed at Android devices in 2019. Links to malicious .APK files were found on various public Hong Kong-related Telegram channels. These messages claimed they were for various legitimate apps, but they led to malicious apps that could exfiltrate device information, contacts, and SMS messages, wrote Trend Micro in its blog post.

These links contain a hidden iframe that loads the malicious code to install the malware. LightSpy, on the other hand,  is a modular backdoor that lets the attacker execute shell command remotely and infect the device, after which the attacker can manipulate files, spy on the user, and even gain complete control of the device. 

The malware has many types of modules for data exfiltration such as it can obtain iOS keychain, WiFi connection history, hardware information, contact information, device GPS location, call history of the phone, text messages, and Chrome and Safari browser history.

Additional information that the malware exfiltrates is about the device’s local network IP address and the available WiFi connection, while it also targets data of messenger apps including QQ, Telegram, and WeChat. 

LightSpy iOS implant component layout and communications (Image: Kaspersky)

Trend Micro researchers analyzed that the way this campaign is organized it seems as if the real target isn’t the victims but the perpetrators want to compromise a large number of devices for spying and backdooring purposes. On the other hand, researchers at Kaspersky concluded that,

This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.

This, however, is not the first time when users in Hong Kong have been hit by a sophisticated campaign. In September last year, the website used by Hong Kong protesters suffered a series of DDoS attacks forcing its servers to go offline. Moreover, in December, China’s infamous DDoS attack tool also “Great Cannon” resurfaced to target Hong Kong protestors.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts