Earlier in March, Trend Micro published a research on a watering hole campaign targeting users in Southeast Asia with powerful spyware called LightSpy. Following that research, Kasperskys Global Research and Analysis Team shared some important additional details on this attack targeting mobile users through links on various forums and communications channels.
In their research, published on Securelist.com, Kaspersky provides analysis of:
The surveillance frameworks deployment timeline starting from January 2020
Previously unknown samples of the LightSpy Android implants
Traces of implants targeting Windows, Mac and Linux based computers along with Linux-based routers
New indicators of compromise and some other details about the attack
What is known about the LightSpy attacks?
Actors behind the campaign distribute links to malicious websites mimicking the original ones that are likely to be frequented by potential victims. Once a target visits the weaponized website, a custom exploit chain tries to execute a shellcode, which leads to the deployment of the fully original malware on the victims phone.
The malware is successfully targeting iPhones running versions of iOS up to version 12.2. Users running the latest version of iOS, 13.4, should be safe from these exploits. Users of Android OS-based devices are also in the crosshairs researchers found several versions of the implant that target this platform. In addition, Kaspersky researchers identified some indicators of the existence of malware targeting Mac, Linux and Windows-based computers, along with Linux-based routers.
The research also discovered the malware is being spread through forum posts and replies, as well as popular communications platforms by posting links to the deployed landing pages. Once the website has been visited, the malware jailbreaks the victims device, giving the attackers the ability to record calls and audio, read certain messengers and more.
The information currently available does not make it possible to attribute the operation to any known advanced persistence threat actor (APT), which is why Kaspersky has temporarily dubbed the attackers TwoSail Junk.
We tracked this particular framework and infrastructure beginning in January this year. It is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative strategy is something we have seen before from SpringDragon, and LightSpys targeting geolocation falls within the previous regional targeting of the SpringDragon/LotusBlossom/Billbug APT, as does the infrastructure and evora backdoor use. Although the campaign peaked in February that is when we saw the highest growth of links leading to the malicious site it is still active and we continue monitoring it, comments Alexey Firsh, security researcher at Kasperskys Global Research and Analysis Team.
Read more about the TwoSail Junks campaign on Securelist.com.
To avoid falling victim to water-holing and other targeted attacks such as this, Kaspersky recommends the following:
● Try to avoid suspicious links promising exclusive content, especially if they are shared on social media. Refer to official sources for trustworthy and legitimate information.
● Check the websites authenticity. Do not visit websites until you are sure that they are legitimate and start with https. Confirm that the website is genuine, by double-checking the format of the URL or the spelling of the company name, reading reviews about it and checking the domains registration data.
● Choose a reliable security solution such as Kaspersky Security Cloud for effective personal protection against known and unknown threats.
For corporate users:
Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky APT Intelligence Reporting.
In their research, published on Securelist.com, Kaspersky provides analysis of:
The surveillance frameworks deployment timeline starting from January 2020
Previously unknown samples of the LightSpy Android implants
Traces of implants targeting Windows, Mac and Linux based computers along with Linux-based routers
New indicators of compromise and some other details about the attack
What is known about the LightSpy attacks?
Actors behind the campaign distribute links to malicious websites mimicking the original ones that are likely to be frequented by potential victims. Once a target visits the weaponized website, a custom exploit chain tries to execute a shellcode, which leads to the deployment of the fully original malware on the victims phone.
The malware is successfully targeting iPhones running versions of iOS up to version 12.2. Users running the latest version of iOS, 13.4, should be safe from these exploits. Users of Android OS-based devices are also in the crosshairs researchers found several versions of the implant that target this platform. In addition, Kaspersky researchers identified some indicators of the existence of malware targeting Mac, Linux and Windows-based computers, along with Linux-based routers.
The research also discovered the malware is being spread through forum posts and replies, as well as popular communications platforms by posting links to the deployed landing pages. Once the website has been visited, the malware jailbreaks the victims device, giving the attackers the ability to record calls and audio, read certain messengers and more.
The information currently available does not make it possible to attribute the operation to any known advanced persistence threat actor (APT), which is why Kaspersky has temporarily dubbed the attackers TwoSail Junk.
We tracked this particular framework and infrastructure beginning in January this year. It is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative strategy is something we have seen before from SpringDragon, and LightSpys targeting geolocation falls within the previous regional targeting of the SpringDragon/LotusBlossom/Billbug APT, as does the infrastructure and evora backdoor use. Although the campaign peaked in February that is when we saw the highest growth of links leading to the malicious site it is still active and we continue monitoring it, comments Alexey Firsh, security researcher at Kasperskys Global Research and Analysis Team.
Read more about the TwoSail Junks campaign on Securelist.com.
To avoid falling victim to water-holing and other targeted attacks such as this, Kaspersky recommends the following:
● Try to avoid suspicious links promising exclusive content, especially if they are shared on social media. Refer to official sources for trustworthy and legitimate information.
● Check the websites authenticity. Do not visit websites until you are sure that they are legitimate and start with https. Confirm that the website is genuine, by double-checking the format of the URL or the spelling of the company name, reading reviews about it and checking the domains registration data.
● Choose a reliable security solution such as Kaspersky Security Cloud for effective personal protection against known and unknown threats.
For corporate users:
Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky APT Intelligence Reporting.