{ "name": "LightSpy Malware Variant Targeting macOS", "slug": "lightspy-malware-variant-targeting-macos", "description": "This report details the discovery of a macOS variant of the LightSpy malware, previously known to target iOS and Android devices. The macOS implant consists of a dropper that downloads and runs a core implant dylib, which in turn loads various plugins to accomplish malicious tasks. The report provides a technical analysis of the malware components, including the droppers, implants, and plugins, highlighting key differences from the iOS version. It also discusses the communication with the command-and-control (C2) server and the data collection capabilities of the malware. The report aims to raise awareness about the evolving threats targeting the macOS platform.", "published": "2024-04-29T16:41:32+00:00", "created_at": "2024-04-29T16:41:32+00:00", "modified_at": "2024-05-01T21:07:08+00:00", "created_at_opencti": "2024-04-29T16:41:32+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "dropper", "implant", "lightspy", "macos", "plugins" ], "related_entities": { "observables": [ { "id": "", "name": "103.27.109.217" }, { "id": "", "name": "fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835" }, { "id": "", "name": "d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63" }, { "id": "", "name": "ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6" }, { "id": "", "name": "65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883" }, { "id": "", "name": "5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5" }, { "id": "", "name": "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" }, { "id": "", "name": "4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f" }, { "id": "", "name": "3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d" }, { "id": "", "name": "18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a" }, { "id": "", "name": "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" }, { "id": "", "name": "0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144" } ], "malware": [ { "id": "legacy:malware:960aeff9f3c03843", "name": "LightSpy", "slug": "lightspy" } ], "intrusion_sets": [ { "id": "1b587a9b-82ad-4bc3-a6b7-a159d6e3c2d8", "name": "APT 41", "slug": "apt-41" } ], "attack_patterns": [ { "id": "b07b3c1b-5e60-4a5e-9872-e8ee936f4524", "name": "T1598.001" }, { "id": "f0737574-d089-4a2e-8d65-12351366026f", "name": "T1592.003" }, { "id": "bf00a05b-873c-4341-9d91-0aa52b28def2", "name": "T1592.001" }, { "id": "da9c28df-e5f4-4cb3-92c1-06f15d8bab39", "name": "T1071.002" }, { "id": "495b924e-a52e-4548-9379-4b92ad9b698d", "name": "T1001.003" }, { "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd", "name": "T1588.001" }, { "id": "88fd8eb3-cc2d-4ff0-92ff-d047dafc7855", "name": "T1592.002" }, { "id": "adac40c7-ef36-4a03-af99-079bc834463a", "name": "T1003.002" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" } ] }, "external_refs": [ "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos", "https://otx.alienvault.com/pulse/662fe9dc62a4db2be48af71b" ] }