LightSpy's dark evolution. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: "LightSpy's Dark Evolution" [Research Saturday] - Detailed Summary

Release Date: January 25, 2025

Introduction

In the January 25, 2025, episode of CyberWire Daily’s "Research Saturday," host Dave Bittner engages in an in-depth conversation with cybersecurity experts Ismail Valenzuela, VP of Threat Research and Intelligence, and Jacob Farris, Principal Threat Researcher at BlackBerry. The focus of the discussion centers on the evolution of the LightSpy malware campaign orchestrated by the notorious threat actor group APT41, specifically their deployment of the advanced Deep Data Framework in targeted Southern Asia espionage activities.

Overview of LightSpy and APT41

The episode begins with Jacob Farris highlighting the team's active monitoring of various threat actors, with a particular emphasis on developments in Southeast Asia and activities originating from Chinese actors. Ismail Valenzuela introduces the episode's main topic: "LightSpy's Dark Evolution," detailing how APT41 has enhanced their espionage capabilities.

Jacob Farris explains, “[We are] actively monitoring a lot of different threat actors and campaigns around the world,” with a special focus on Chinese-originated activities (02:13).

Technical Details of the LightSpy Campaign

Dave Bittner delves into the technical aspects of the LightSpy campaign, noting the discovery of command and control (C2) infrastructure associated with LightSpy and WormSpy. The team identified different SSL certificates hosted on these C2 servers, indicating the presence of multiple services and diverse URI structures not previously linked to WormSpider or LightSpy (02:51).

Upon further investigation, reverse engineering of Windows binaries revealed the deployment of the Deep Data Framework—a sophisticated toolkit previously obscured from analysis. “Deep data is their Windows targeting,” explains Bittner (04:29). This framework signifies an expansion from earlier targets on iOS and Android to now include comprehensive Windows-based attacks.

Targeted Platforms and Industries

Ismail Valenzuela prompts a discussion on the range of capabilities and typical targets of LightSpy. Dave Bittner outlines that LightSpy was initially discovered in Hong Kong in 2020, primarily targeting participants in the democratic protests. The malware's capabilities include real-time location tracking, audio capture, and accessing private communications like chats, emails, and passwords (03:28; 04:23).

Jacob Farris adds that while LightSpy primarily attacks messaging platforms such as WhatsApp, Telegram, and Signal, it has also expanded to U.S.-based applications. This expansion indicates a strategic shift to encompass both local and international targets, including sectors like healthcare, education, telecommunications, and technology (07:58; 12:28).

Modularity and Sophistication of Malware

A significant portion of the discussion revolves around the modularity of the Deep Data Framework. Ismail Valenzuela inquires about the advantages of modularity in espionage campaigns. Bittner responds that modularity allows APT41 to tailor their malicious payloads to specific targets’ needs, enhancing the efficiency and stealth of their operations. “It changes what application they can use whenever they are targeting somebody,” Bittner explains (06:16).

Jacob Farris emphasizes that this modularity reflects a high level of sophistication, indicating structured and professional development likely involving collaboration with academic institutions. “Attackers are lazy. They’re going to be reusing frameworks and code that work,” Farris notes (05:31).

Strategic Objectives of APT41

Ismail Valenzuela probes into the strategic objectives of APT41, linking their dual focus on espionage and cybercrime. Bittner elaborates that APT41's tactics aim to gather extensive information for both state-sponsored espionage and financial gains through cybercrime (09:32). Jacob Farris adds that despite being indicted by the US Department of Justice in 2020, APT41 continues to intensify their espionage activities, suggesting resilience and adaptability in their operations (09:56; 21:05).

Security Recommendations

When discussing mitigation strategies, Bittner advocates for a comprehensive defense-in-depth approach aligned with ISO 27001 standards. This includes continuous monitoring, robust authentication mechanisms, and layered security controls to protect against the multifaceted threats posed by APT41’s advanced toolsets (15:37).

Surprising Findings and Observations

Ismail Valenzuela inquires about unexpected insights from the research. Bittner shares that while the functionality of APT41’s tools is not unique, their persistent adaptation to bypass security measures is noteworthy. The integration of a Windows stealer plugin into their C2 commands illustrates their evolving strategies to remain undetected (16:03; 16:57).

Jacob Farris highlights the versatility in targeting not just traditional platforms but also secure messaging applications, raising concerns about the security of even the most trusted communication tools. He questions the adequacy of platforms like Signal for securing highly confidential information, suggesting that endpoint security remains a critical vulnerability (17:54).

Future Outlook

Looking ahead, Bittner anticipates that APT41 will continue to expand their targets beyond Southeast Asia, increasingly focusing on U.S. entities and other regions not aligned with the Chinese Communist Party’s (CCP) interests. Farris underscores that persistent and evolving threats from APT41 are likely to grow in sophistication and scope, driven by geopolitical motivations (20:14; 21:44).

Conclusion

The episode concludes with a reminder of the ongoing threat posed by APT41 and the necessity for robust cybersecurity measures. Dave Bittner emphasizes the importance of continuous vigilance and the implementation of comprehensive security frameworks to mitigate the risks associated with such advanced threat actors.

Notable Quotes

Jacob Farris (02:13): “We follow with special interest what's happening in Southeast Asia and especially what's coming from Chinese actors.”
Dave Bittner (04:29): “Deep data is their Windows targeting.”
Jacob Farris (05:31): “Attackers are lazy. They’re going to be reusing frameworks and code that work.”
Dave Bittner (06:16): “It changes what application they can use whenever they are targeting somebody.”
Jacob Farris (12:28): “These groups are tied to the Chinese Ministry of State Security.”
Dave Bittner (15:37): “The age old defense in depth with ISO 27001 is pretty much the only real solution there.”
Jacob Farris (17:54): “This raises the question, like, should we be using those messaging platforms for secure communications?”
Dave Bittner (20:14): “Google put out a report last year stating they saw six different US government entities being targeted by APT41.”

Final Thoughts

"LightSpy's Dark Evolution" offers a comprehensive analysis of APT41’s sophisticated espionage tactics and their implications for global cybersecurity. The insights provided by Ismail Valenzuela and Jacob Farris underscore the importance of advanced threat detection and robust security frameworks in combating evolving cyber threats.

For those seeking to stay informed on the latest in cybersecurity, this episode serves as a crucial resource in understanding and mitigating the risks posed by advanced persistent threats like APT41.

Loading summary

Transcript51 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:12]
Ismail Valenzuela
And now a message from our sponsor. Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler 0Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:59]
Jacob Farris
Well, so we're actively monitoring a lot of different threat actors and campaigns around the world, but we have, we follow with special interest what's happening in Southeast Asia and especially what's coming from Chinese actors.
[02:14]
Ismail Valenzuela
Our guests today are Ismail Valenzuela, VP of Threat Research and Intelligence, and Jacob Farris, principal threat researcher from BlackBerry, discussing the team's work on LightSpy. APT41 deploys advanced deep Data Framework in Targeted Southern Asia Espionage Campaign well, let's dig into some of the details here. I mean, can you. Let me toss it over to you, Jacob, can you sort of lay out what exactly we're talking about here in terms of the activity that you all are tracking?
[02:52]
Dave Bittner
Sure. So we were actually looking at the command and control infrastructure from lightspy and wormspy and noticed that there were different SL certificates being hosted, which kind of implied different services being hosted. And then whenever we started investigating those IP addresses, we saw different URI structures being utilized that didn't point to Wormspire lightspy. And it turned out whenever we pulled the files down at those uri, they happened to be Windows binaries. And so once we started reverse engineering those, we discovered it was actually deep data and this whole other toolkit.
[03:28]
Ismail Valenzuela
Well, let's Go into some of the details here of the groups. I mean, starting out with the LightSpy malware campaign, what was their range of capabilities and who were they particularly typically targeting?
[03:42]
Dave Bittner
Lightspy was first discovered in 2020 in Hong Kong, and a lot of the lures utilized by them were actually targeting the democr Democratic protests in Hong Kong. So you're kind of looking at targeting of journalists and everyday citizens that aren't necessarily aligning with the ccp. So those capabilities were generally around finding rioters or individuals of interest in the populace. So you needed their direct location. You needed to be able to pull audio so you could figure out what they were talking about. They were also pulling any communication, such as chat or email or passwords, that you can get into their private accounts.
[04:24]
Ismail Valenzuela
And so now in addition to that, we're talking about deep data. So explain that to me.
[04:30]
Dave Bittner
So deep data is their Windows targeting. We saw all of the previous things that I mentioned on iOS and Android and we've seen macros versions come out, but. And we've seen the infrastructure enhance pointing to Windows binaries out there, but we have not actually been able to decrypt those or see the internal workings of that until we found the deep data binaries. There are some interesting hints at Windows Phone because of the X509 certificates utilizing some of the plugins. So it's possible this historically was used to target Windows Phone users as well, though Windows Phone is now deprecated. So.
[05:18]
Ismail Valenzuela
Right. I was going to say what Windows Phone. Take us back. Right.
[05:23]
Dave Bittner
Very precise. It also tells us that this has probably been around for longer than what we have visibility into.
[05:30]
Ismail Valenzuela
Ismail, you're saying?
[05:31]
Jacob Farris
No, I was going to say that. Very precise targeting. Right. If anyone is still using Windows Phones out there. But this is something that I usually say. Attackers are lazy.
[05:41]
Dave Bittner
Right.
[05:41]
Jacob Farris
They're going to be reusing frameworks and code that work. Like why would the. Why would they rewrite something from scratch? And it's very interesting with this campaign, we have seen infiltration of messaging platforms like WhatsApp, Telegram Signal, WeChat. But as Jake was mentioning, we still see some remnants of maybe some code that was previously there. So that's interesting.
[06:05]
Ismail Valenzuela
It is. Explain to me, Jacob, the modularity of this. Why does that suit them particularly well when we're talking about an espionage campaign?
[06:17]
Dave Bittner
It changes what application they can use whenever they are targeting somebody. Right. Like the scope of the intrusion and how. How much data they need to send to a victim before they can actually get the intended product out from them. So if they only want to listen to audio because they know this person is not utilizing any of the chat functionality on this product, then they can only send the audio plugin. Also, development can be disparate, right? You only have to develop one thing really well before you can put it into production, as opposed to having to update the code for every section.
[06:57]
Ismail Valenzuela
And I suppose there's some advantages of making whatever you're sending out to be comparatively lightweight.
[07:05]
Dave Bittner
Yes, I think more looking at the, at the actual code and the strings involved, it looks more like it's modular because they're having different groups do the development. Apt 41 and pretty much anybody that has been associated with the Ministry of State Security in China has regularly utilized universities to do a lot of the development. And the development here looks more like it's something structured and professionally done, such as by developers as opposed to necessarily malware authors like you would see out of Russia.
[07:51]
Ismail Valenzuela
Now, talking about the plugins here, they are targeting specific messaging apps.
[07:58]
Dave Bittner
Yeah, like I do not have the list right in front of me, but they, they are targeting Signal, Feng Shui, qq, primarily large groupings of Chinese messaging applications. But they've also started branching into U.S. applications, especially ones that are encrypted or used for mass messaging like Telegram.
[08:25]
Jacob Farris
Telegram, WhatsApp, Signal.
[08:28]
Dave Bittner
Yeah.
[08:29]
Jacob Farris
Email monitoring.
[08:30]
Ismail Valenzuela
Yeah. Now you were talking about tools that can be applied to Windows here. I mean, to what degree are they functioning in a cross platform way and are they integrating the way that they're able to communicate across those platforms?
[08:47]
Dave Bittner
Yes. So the command and control servers actually have a console that can be utilized by all of the different products. Right. Like lightspy, wormspy, and Deep Data all upload their information to a console that is, that's cross platform. That way whoever is operating the console can just click whichever users they want that are infected and go ahead and inspect that data that's been returned.
[09:18]
Ismail Valenzuela
Can we talk some about the strategic objectives of APT41 themselves? You mentioned them. The tools that you're seeing here in Deep Data, how does that reflect the folks that they're targeting?
[09:33]
Dave Bittner
Well, APT41 historically has done both espionage and cybercrime. And since we've seen these tool sets being utilized on the general populace, it would be very advantageous for APT41 to accomplish both of those tasks, or at least both of those goals with this tool set.
[09:57]
Jacob Farris
And it's worth mentioning, Dave as well, that APT41 was indicted by the US Department of Justice back in 2020. So there's a long record for this group in targeting these strategic objectives. Using, as we just see here, some advanced malware.
[10:22]
Ismail Valenzuela
We'll be right back. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. And who do they seem to be targeting here? When we're talking about the specific industries or the entities that they seem to be going after here, what are you all seeing?
[12:29]
Jacob Farris
Well, as Jake was mentioning before, these groups are tied to the Chinese Ministry of State Security. And we know that the Chinese government is just conducting massive surveillance, right? So sometimes we see them targeting government interests. So the times like healthcare, education, telecommunications, technology, so they keep, you know, changing maybe their targets, but at the end of the day, what they're just trying to gather is as much information as possible.
[13:00]
Ismail Valenzuela
Jacob, how do you rate the sophistication of this group when you look at their work, the things that they're making here?
[13:09]
Dave Bittner
I have different opinions on the quality of code levels, but I think the more sophisticated point around this and why it is actually a high level of sophistication is because of the breadth of capacity, right? They're able to target multiple operating systems, both mobile and desktop devices, plus they're able to target routers. And we've seen utilization of zero day exploits for the delivery of these things in the past. There are not many groups that are doing that. And then to see the infrastructure stay online for years and years and years, right? We saw the IP address that was used to identify the lightspy group as APT41 is an IP address that's been.
[13:56]
Jacob Farris
Used since 2014 and something we didn't mention. We talk about some of the plugins, but I was just thinking there's also one plugin to extract passwords from KeePass, right? Maybe many in the audience recognize KeePass as a password manager. Like often we security experts would recommend people to use password managers. Well, guess what? Using these plugins to extract the passwords and any of the information installed in these applications, again, collecting more data, more passwords to get access to more platforms.
[14:31]
Ismail Valenzuela
You know, when you look at the modularity of this, I mean getting back to what you were. We were talking about the comparative sophistication here. I'm curious Jacob, when you look at these different modules, do you get a sense for, oh, you know, these were probably put together by the same person or group and this looks like a different cluster. You know, these are the lower level people in the organization and these are the real coding masters here. Do those sorts of things come up when you're doing your own research?
[15:01]
Dave Bittner
Absolutely. You can find the debug paths inside of the binaries and you can many times see the name of the individual that's working on it. You can tell whenever the project name has changed or at least the project name that was given to these individuals has changed, changed. And then you see those slight shifts over the years whenever you can check compilation times and then see how different people are working on the project over different time frames now.
[15:29]
Ismail Valenzuela
That's interesting. Well, what are your recommendations then? I mean, how do folks go about protecting themselves against this sort of thing?
[15:37]
Dave Bittner
Yeah, it's a pretty wide scope of targeting. Right. So I think the age old defense in depth with ISO 27001 is pretty much the only real solution there.
[15:54]
Ismail Valenzuela
Are there any things in your research here that were particularly surprising that made you sit up and go, that's interesting?
[16:04]
Dave Bittner
You know, I don't think so. And I'll say it because it looks like they've written a lot of custom stealers that are similar to other stealers that are out there. Everybody's just re implementing the same functionality but so in a new way so that it is no not detectable by endpoint systems or network detection systems. And so like recently we saw that a Windows stealer plugin has been added to the command and control commands. And this whole thing started out as a Windows stealer, but now they have a command and control function just for that. Right. So none of the Things being developed here are particularly unique.
[16:57]
Jacob Farris
I think one of the interesting things about these campaigns is that they're not just targeting maybe the traditional platforms only, right? Like we talk here about Windows, but we have, Jake has mentioned before some Android implants as well, and the targeting of specific communications or applications that we're supposed to usually consider as Safe, right? Like WhatsApp or Signal. And this is a very interesting lesson learned, especially because they're targeting politicians, they're targeting, you know, journalists, people that have access to very sensitive information. It raises the question, like, should we using, should we be using those messaging platforms for secure communications? And I guess the answer is pretty obvious, right? Like these platforms do not provide the type of security that is needed to maybe share corporate secrets or other type of highly confidential information.
[17:55]
Ismail Valenzuela
Can we dig into that a little bit? Because you did catch my attention when you mentioned Signal on the list there. Because I think, you know, like a lot of folks, I consider that when I think of secure messaging systems, that's certainly at or near the top of the list in terms of things that are readily available to folks, you know, average people out there. How do they come at an app like Signal, what sort of things do they use?
[18:20]
Jacob Farris
Well, in many cases, and Jake, feel free to expand on this. But in many cases, the weakest point is the endpoint, right? As we said before, and many people install the client applications on their desktops that will, you know, communicate with the servers. And that could be the weakest point in this case. We see we detail this in our blog. These plugins, these DLLs, Signal DLL and WhatsApp DLL that will be loaded when the plugin is running and they will be used to, well, to get access to this data. So that could be one of the avenues. Many of these platforms as well, they encrypt end to end, right? With different keys that you could gener on the endpoint and keys that you have on the server using public key infrastructure pki. But if you're able to tap the device itself and get access to those keys or tap even the memory of the device where maybe the data is not encrypted, you could get access to that type of information.
[19:26]
Ismail Valenzuela
Jacob, anything to add there?
[19:29]
Dave Bittner
I don't think so. It's like Ismail was saying, the way that the applications are actually pulling that data is by accessing the local databases and the encryption keys are going to be stored on the device so that it can actually be decrypted at rest, right? So then they're just pulling it directly from that database and decrypting it with the local encryption keys.
[19:49]
Ismail Valenzuela
Right, Right. At some point somebody has to see it. Right. So it has to become viewable and that's your opportunity. Yeah. Well, when you look at a group like this that has a history and you see the kind of arc that they've been on, do you get a sense for where they're headed for? What sort of things are on their horizon?
[20:14]
Dave Bittner
Yeah, targeting the U.S. i mean, they've been pretty strongly targeting regions around China that are not supportive of the CCP. So we see C2 like command and control servers in Japan, Singapore and Hong Kong, but those are also primarily US sympathizing countries to some degree. And you think Google put out a report last year stating they saw six different US government entities being targeted by APT41? So it goes in line that anything that is not directly supporting the socialist agenda is probably going to be targeted.
[21:06]
Jacob Farris
When we talk about persistent threats. Right. This is clearly one of those. They're not going to go anywhere and they're going to be expanding in capabilities and scope as time goes on. So whenever China has geopolitical interests, we're going to see these type of activities. As we said before, even with an indictment from the Department of Justice, ongoing and FBI investigations is not stopping these groups. They're intensifying their espionage activities.
[21:45]
Ismail Valenzuela
Our thanks to Ismail Valenzuela and Jacob Farris from BlackBerry for joining us. The research is titled LightSpy APT41 to deploys advanced deep Data Framework in Targeted Southern Asia Espionage Campaign. We'll have a link in the show notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here. Next.
[23:12]
Dave Bittner
Foreign.
[23:18]
Ismail Valenzuela
Needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect. Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at aidomo.com. that's AI domo.com.