CyberWire Daily - LightSpy's dark evolution. [Research Saturday]
Episode Date: January 25, 2025This week, we are joined by Ismael Valenzuela, VP of Threat Research & Intelligence, and Jacob Faires, Principal Threat Researcher, from Blackberry discussing the team's work on "LightSpy: APT41 Deplo...ys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign." In April 2024, BlackBerry uncovered a significant evolution of the LightSpy malware campaign, attributed to Chinese cyber-espionage group APT41. The newly introduced DeepData framework, a modular Windows-based surveillance tool, expands data theft capabilities with 12 specialized plugins for tasks like communication surveillance, credential theft, and system intelligence gathering. The campaign targets a wide range of communication platforms, including WhatsApp, Signal, and WeChat, with advanced techniques for monitoring and stealing sensitive information from victims across the Asia-Pacific region. The research can be found here: LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports, so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com slash N2K and use promo code n2k at checkout.
The only way to get 20% off is to go to join delete me dot com slash n2k and enter code
n2k at checkout.
That's join delete me dot com slash n2k code n2k. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
Well, so we're actively monitoring a lot of different threat actors and campaigns around
the world, but we follow with a special interest what's happening in Southeast Asia, and especially
what's coming from Chinese actors.
Our guests today are Ismail Valenzuela, VP of Threat Research and Intelligence, and Jacob
Farris, Principal Threat Researcher from BlackBerry, discussing the team's work on LightSpy.
APT-41 deploys advanced deep data framework in targeted Southern Asia espionage campaign.
Well, let's dig into some of the details here. I mean, can you, let me toss it over to you, Jacob.
Can you sort of lay out what exactly we're talking about here in terms of the activity
that you all are tracking?
Sure. So we were actually looking at the command and control infrastructure from LightSpy and
WormSpy and noticed that there were different SL certificates being hosted, which kind of
implied different services being hosted. And then whenever we started investigating those IP
addresses, we saw different URI structures being utilized
that didn't point to Wormspire or Lightspire.
It turned out whenever we pulled the files down at those URI,
they happened to be Windows binaries.
Once we started reverse engineering those,
we discovered it was actually
deep data and this whole other toolkit.
Well, let's go into some of the details here of the groups. I mean starting out with the light spy malware campaign
What was their range of capabilities and who were they particularly?
Typically targeting light spy was first discovered in
2020 in Hong Kong and a lot of the lures utilized by them were actually targeting the Democratic protests in Hong Kong and a lot of the lures utilized by them were actually
targeting the democratic protests in Hong Kong.
So you're kind of looking at targeting of journalists and everyday
citizens that aren't necessarily aligning with the CCP.
So those capabilities were generally around finding writers or
individuals of interest in the populace.
So you needed their direct location, you needed to be able to pull audio so you
could figure out what they were talking about. They were also pulling any
communication such as chat or email or passwords that you can get into their
private accounts. And so now in addition to that we're talking about deep data. So explain that to me.
So deep data is their Windows targeting.
We saw all of the previous things that I mentioned
on iOS and Android, and we've seen Mac OS versions come out,
and we've seen the infrastructure and hence pointing
to Windows binaries out there, but
we have not actually been able to decrypt those or see the internal workings of that
until we found the deep data binaries.
There are some interesting hints at Windows Phone because of the X.509 certificates utilized
in some of the X.509 certificates utilized in some of the plugins.
So it's possible this historically was used to target Windows phone users as well.
Though Windows phone is now dedicated.
Right. I was going to say, what? Windows phone?
Take us back, right?
It also tells us that this has probably been around for longer than what we have visibility into.
Ismail, you were saying? is that this has probably been around for longer than what we have visibility into.
Ismael, you were saying?
I was going to say a very precise targeting, right?
If anyone is still using Windows phones out there.
But this is something that I usually say attackers are lazy,
right?
They're going to be reusing frameworks and code
that work.
Like, why would they rewrite something from scratch?
And it's very interesting with this campaign,
we have seen infiltration of messaging platforms
like WhatsApp, Telegram, Signal, WeChat.
But as Jake was mentioning,
we still see some remnants of maybe some code
that was previously there.
So that's interesting.
It is.
Explain to me, Jacob, the modularity of this.
Why does that suit them particularly well
when we're talking about an espionage campaign?
It changes what application they can use
whenever they are targeting somebody, right?
Like the scope of the intrusion
and how much data they need to send to a victim
before they can actually get the intended product out from them.
So if they only want to listen to audio because they know this person is not utilizing any of the chat functionality on this product,
then they can only send the audio plug-in. Also, development can be disparate, right? You only have to develop one thing really well
before you can put it into production,
as opposed to having to update the code for every section.
And I suppose there's some advantages
of making whatever you're sending out
to be comparatively lightweight.
Yes.
I think more looking at the actual code and the strings involved,
it looks more like it's modular because they're
having different groups to the development.
APT 41 and pretty much anybody that has been associated with
the Ministry of State Security in China
has regularly utilized universities
to do a lot of the development.
And the development here looks more like
it's something structured and professionally done
such as by developers as opposed to necessarily
malware authors like you would see out of Russia.
Now, talking about the plugins here, they are targeting specific messaging apps?
Yeah, like I do not have the list right in front of me, but they are targeting Signal, Fengshui, QQ,
primarily large groupings of Chinese messaging applications, but they've
also started branching into US applications, especially ones that are encrypted or used
for mass messaging like Telegram.
Telegram, WhatsApp, Signal, email, long- signal. Yeah, email monitoring.
Yeah.
Now you were talking about tools
that can be applied to Windows here.
I mean, to what degree are they functioning
in a cross-platform way?
And are they integrating the way that they're able
to communicate across those platforms?
Yes, so the command and control servers actually have a console
that can be utilized by all of the different products, right?
Like Lightspy, Wormspy, and Deep Data all upload their information
to a console that is cross-platform.
That way, whoever is operating the console
can just click whichever users they want that are infected
and go ahead and inspect that data that's been returned.
Can we talk some about the strategic objectives
of APT-41 themselves?
You mentioned them.
The tools that you're seeing here in deep data,
how does that reflect the folks that they're targeting?
Well, APT 41 historically has done both espionage
and cybercrime.
And since we've seen these tool sets being utilized
on the general populace,
it would be very advantageous for APT 41
to accomplish both of those tasks,
or at least both of those goals, with this toolset.
And it's worth mentioning, Dave, as well,
that APT 41 was indicted by the US Department of Justice
back in 2020.
So there's a long record for this group
in targeting these strategic objectives using,
as we just see here, some advanced malware.
We'll be right back.
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit threatlocker.com today to see how a default
deny approach can keep your company safe and compliant.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks like
SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps
you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's
vanta.com slash cyber for a thousand dollars off. And who do they seem to be targeting here?
We're talking about the specific industries or the entities that they seem to be going
after here.
What are you all seeing?
Well, as Jake was mentioning before,
these groups are tied to the Chinese Ministry
of State Security.
And we know that the Chinese government
is just conducting massive surveillance, right?
So, you know, sometimes we see them targeting
government interests all the time,
like healthcare education, telecommunications, technology.
So they keep, you they keep changing maybe their targets,
but at the end of the day,
what they're just trying to gather
is as much information as possible.
Jacob, how do you rate the sophistication of this group
when you look at their work,
the things that they're making here?
So I have different opinions on the quality of code levels,
but I think the more sophisticated point
around this and why it is actually a high level of
sophistication is because of the breadth of capacity.
They're able to target multiple operating systems,
both mobile and desktop devices,
plus they're able to target routers.
And we've seen utilization of zero-day exploits for the delivery of these things in the past.
There are not many groups that are doing that.
And then to see the infrastructure stay online for years and years and years. We saw the IP address that was used to identify the LightSpy group as APT-41
is an IP address that's been used since 2014.
And something we didn't mention, we talked about some of the plugins, but I was just
thinking there's also one plugin to extract passwords from KeePass, right? Maybe many in the audience recognize KeePass
as a password manager.
Like often with security experts,
we recommend people to use password managers.
Well, guess what?
Like they're using these plugins to extract the passwords
on any of the information installed in these applications.
Again, collecting more data, more passwords
to get access to more platforms. You know, when you look at the modularity of this, I mean getting back
to what you were talking about, the comparative sophistication here, I'm
curious, Jacob, when you look at these different modules, do you get a sense for
oh, you know, these were probably put together by the same person or group and
this looks like a different cluster.
These are the lower level people in the organization,
and these are the real coding masters here.
Do those sorts of things come up when you're doing your own research?
Absolutely. You can find the debug paths inside of the binaries,
and you can many times see the name of the individual that's working on it.
You can tell whenever the project name has changed or at least the project name that
was given to these individuals has changed.
And then you see those slight shifts over the years whenever you can check compilation
times and then see how different people are working on the project over different time
frames.
Yeah, that's interesting.
Well, what are your recommendations then?
I mean, how do folks go about protecting themselves against this sort of thing?
Yeah, it's a pretty wide scope of targeting, right?
So I think the age-old defense in depth with ISO 27001
is pretty much the only real solution there.
Are there any things in your research here that were particularly surprising that made you sit
up and go, hmm, that's interesting?
You know, I don't think so.
And I'll say it because it looks like they've written a lot of custom stealers that are
similar to other stealers that are out there.
Everybody's just re-implementing the same functionality.
So in a new way so that it is not detectable by endpoint systems or network detection systems. And so like recently we saw that a Windows Stealer plugin has been added
to the command and control commands. And well this whole thing started out as a
Windows Stealer, but now they have a command and
control function just for that.
So none of the things being developed here
are particularly unique.
I think one of the interesting things about these campaigns
is that they're not just targeting
maybe traditional platforms only.
We talk here about Windows, but we have, Jake has mentioned before,
some Android implants as well.
And the targeting of specific communications,
or applications, are we're supposed to,
we usually consider as safe, right?
Like WhatsApp or Signal.
And this is a very interesting lesson learned,
especially because they're targeting politicians,
they're targeting journalists, people that have access
to very sensitive information.
It raises the question, should we
be using those messaging platforms
for secure communications?
And I guess the answer is pretty obvious.
These platforms do not provide the type of security
that is needed to maybe share corporate secrets
or all the type of highly confidential information.
Can we dig into that a little bit?
Because you did catch my attention
when you mentioned Signal on the list there.
Because I think, like a lot of folks,
I consider that when I think of secure messaging systems,
that's certainly at or near the top of the list
in terms of things that are readily available to folks, you know, average people out there.
How do they come out an app like Signal?
What sort of things do they use?
Well, in many cases, and Jake, feel free to expand on this, but in many cases, the weakest
point is the endpoint, right?
As we said before, and many people install the client applications on their on their desktops
that will you know communicate with with the servers and that could be the weakest the weakest
point in this case we see we detail this in in our blog these plugins these dll's signal dll and
whatsapp dll that will be loaded when the plugin is running and they will be used to
Get access to these to this data
So that that could be one of the one of the avenues many of these platforms as well
They encrypt end-to-end rights with different keys that you could generate on the on the endpoint and keys that you have on the on the server
using on the endpoint and keys that you have on the server using public key infrastructure, PKI.
But if you're able to tap the device itself
and get access to those keys or tap even
the memory of the device where maybe the data is not
encrypted, you could get access to that type of information.
Jacob, anything to add there?
I don't think so.
It's like Ismail was saying, the way
that the applications are actually pulling that data
is by accessing the local databases.
And the encryption keys are going
to be stored on the device so that it can actually
be decrypted at rest.
So then they're just pulling it directly from that database
and decrypting it with the local encryption keys. Right, right.
At some point, somebody has to see it, right?
So it has to become viewable and that's your opportunity.
Yeah.
Well, when you look at a group like this that has a history and you see the kind of arc
that they've been on, do you get a sense for where they're headed,
for what sort of things are on their horizon? Yeah, targeting the US.
They've been pretty strongly targeting regions around China that are not
supporting the CCP. So we see C2, like command and control servers
in Japan, Singapore, and Hong Kong,
but those are also primarily U.S. sympathizing countries
to some degree.
And you think Google put out a report last year stating
that they saw six different US government entities being targeted by APT 41. So it goes in line that anything that is
not directly supporting the socialist agenda is probably going to be targeted.
When we talk about persistent threats, right, this is clearly one of those.
They're not going to go anywhere and they're going to be expanding in capabilities and
scope as time goes on.
So whenever, you know, China has geopolitical interests, we're going to see these type of
activities.
As we said before, even with an indictment from the Department of Justice, ongoing FBI
investigations, it's not stopping these groups.
They're intensifying their espionage activities.
Our thanks to Ismael Valenzuela and Jacob Ferris from BlackBerry for joining us.
The research is titled LightSpy.
APT 41 deploys advanced deep data framework in targeted Southern Asia espionage campaign.
We'll have a link in the show notes.
That's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please
also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
We're privileged that n2k cyberwire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
This episode was produced by Liz Stokes.
We're mixed by Elliot Pelsman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilpey is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.