Tracking LightSpy: Certificates as Windows into Adversary Behavior

Tracking LightSpy: Certificates as Windows into Adversary Behavior

Published on

Published on

Published on

Jun 6, 2024

Jun 6, 2024

Jun 6, 2024

TABLE OF CONTENTS

Introduction

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificates that have been instrumental in identifying its servers.

We’ll examine specific characteristics of the LightSpy network, such as commonly used ports, preferred hosting providers, registration details, and both existing and newly discovered certificates from our scans. This article aims to equip defenders with the information necessary to understand and anticipate the behaviors of the actors behind this operation.

A Quick Refresher

LightSpy is a sophisticated surveillance framework targeting iOS, Android, macOS, and Windows devices, focusing on the Asia-Pacific region. This framework is designed to exfiltrate a wide range of sensitive data from mobile devices, including files, screenshots, detailed location information (such as building floor numbers), voice recordings from WeChat calls, and payment information from WeChat Pay.

Additionally, LightSpy captures data from popular messaging apps like Telegram and QQ Messenger, highlighting its extensive capabilities and significant threat potential.

The following recent blog posts provide a more technical analysis of malware infiltrating networks.

Huntress – “LightSpy Malware Variant Targeting macOS
ThreatFabric – “LightSpy: Implant for macOS
Lookout – “Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41

Overview of LightSpy’s Infrastructure

According to our scans, most of LightSpy's infrastructure is located in China and Hong Kong, with a single server identified in Japan. Topway Global Limited and ChinaNet comprise most of the servers hosting the certificates associated with the framework. Based on our visibility, figure 1 displays a graph highlighting the most popular hosting companies.

We didn’t forget about AndroidControl, also known as WyrmSpy, LightSpy’s reported successor. In the next section, we will cover the certificates behind both LightSpy and AndroidControl in detail.

https://app.hunt.io/images/blogs/lightspy/figure_1_2.webp
Figure 1: Common Hosting Companies in Hunt Platform

LightSpy uses a range of high ports for certificates, typically in the 50k+ range. In contrast, AndroidControl commonly uses port 443 for its control panel and port 3389 for Remote Desktop Protocol (RDP). Both frameworks leverage Nginx servers for their infrastructure, with LightSpy often seen using Nginx version 1.14.0 and AndroidControl using version 1.10.3.

Hunt scans found that ports 51200 and 53501 are the most popular ports for LightSpy.

The top 10 ports are depicted below.

https://app.hunt.io/images/blogs/lightspy/figure_2_2.webp
Figure 2: Most Popular Ports in Hunt

Detecting WyrmSpy was previously as straightforward as searching for web pages that display the HTML title (“AndroidControl v1.0.4”). However, this detection method is not foolproof and is easily changed by the actor(s) administering the server, rendering the query useless.

Like LightSpy, WyrmSpy uses a unique TLS certificate for its control panel. This procedure of using distinct certificates leads to a small number of IP addresses sharing it. While the title and certificate are easily changed, focusing on the latter allows researchers to identify related infrastructure, even if the page is altered or the actor has not yet started using the panel.

At the very least, we can get an idea of the certificate authority (if applicable) preferred by the attacker and the naming conventions used.

https://app.hunt.io/images/blogs/lightspy/figure_3_3.webp
Figure 3: Screenshot of AndroidControl (WrymSpy) HTML Title Panel

Hunt is currently tracking 12 servers presenting the certificate we will discuss below.

Take a look for yourself using the Active C2 Servers feature here.

https://app.hunt.io/images/blogs/lightspy/figure_4_4.webp
Figure 4: Just a Few of the LightSpy IP Addresses Available for Analysis in Hunt

Following the Certificates

We referenced the WyrmSpy certificate multiple times without displaying it. The full self-signed certificate is as follows:

  • C=US
  • ST=State of California
  • O=hxwa
  • OU=John
  • CN=X
  • emailAddress=X3057@gmail.com

If you've been following our blogs, you may recall our post on a cluster of ShadowPad infrastructure that used certificates spoofing the American technology company Dell. In that post, we highlighted several servers with RDP certificates following the "iZ[13 alphanumeric characters]” pattern. Notably, 47.241.218_217, identified as WyrmSpy infrastructure, employs a similar naming convention, as illustrated in Figure 5.

ShadowPad blog post:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

https://app.hunt.io/images/blogs/lightspy/figure_5_5.webp
Figure 5: Certificates used on WrymSpy Server

Unfortunately, the trail ran cold on the above RDP certificate as we could not locate any additional servers using the above naming convention. However, we can pivot on the TLS certificate, which leads us to 5 additional servers worthy of a second look.

https://app.hunt.io/images/blogs/lightspy/figure_6_6.webp
Figure 6: Pivot on AndroidControl TLS Certificate (Try it)

The certificates associated with LightSpy are reminiscent of the AndroidControl (WyrmSpy) names, with some notable differences:

LightSpy Certificate:

While both certificates follow a similar structure, the LightSpy certificate uses an Australian country code (C=AU) and generic organizational details. In contrast, the WyrmSpy certificate uses a US country code (C=US) and more specific, albeit fabricated, organizational information.

Despite these differences, the commonality in their structured format suggests a shared methodology or toolkit used by the threat actors behind both frameworks. This similarity can be a crucial indicator for defenders correlating and tracking related infrastructure more effectively.

https://app.hunt.io/images/blogs/lightspy/figure_7_7.webp
Figure 7: Example of a Short-lived LightSpy Certificate

Recently Seen Domains and Certificates

Once we establish a reliable query that consistently identifies malicious infrastructure, it's crucial not to rely solely on that detection method. Adversaries will likely make subtle server changes to evade detection or even transfer the IP address to another threat actor.

To counter this, we must periodically probe and reassess the identified servers (within reason), tracking changes over time. By doing so, we can proactively respond to these modifications and potentially differentiate between different threat actors using the same IP addresses or networks.

*It is crucial to be as discreet as possible when interacting directly with possible malicious infrastructure. Probing can tip off actors to your presence and expose your network to various attacks.

While investigating these various IPs, we identified a server, 103.43.17_99, that had recently started hosting the LightSpy certificate on port 54600. Additionally, this server hosts another certificate on port 443 issued by ZeroSSL for the domain yycclouds[.]com, which also resolves to this IP address.

https://app.hunt.io/images/blogs/lightspy/figure_8_8.webp
Figure 8: LightSpy Certificate Overlaps with ZeroSSL Certificate

The above domain is registered through GoDaddy and uses domaincontrol.com nameservers. As of the time of writing, there are no subdomains or web pages associated with the yycclouds domain.

Conclusion

In this post, we explored the intricate infrastructure of the LightSpy spyware framework and its successor, WyrmSpy. We highlighted the significance of focusing on TLS certificates and patterns in hosting providers, particularly in the Asia-Pacific region. Understanding these elements, along with critical infrastructure components such as ports, server software, hosting, domain registration, and certificates, allows us to better track and anticipate the evolving tactics of these threat actors.

Sign up for an account with Hunt to stay informed on the latest trends in malicious infrastructure and enhance your defensive capabilities.

Indicators

IP AddressNotes
103.27.109_217LightSpy C2
43.248.136_110LightSpy C2
103.27.109_28LightSpy C2
38.55.97_178LightSpy C2
103.43.17_99LightSpy C2
43.248.136_104LightSpy C2
45.125.34_126LightSpy C2
45.155.220_194LightSpy C2
154.91.196_185LightSpy C2
222.219.183_84LightSpy C2
47.241.218_217WrymSpy C2
8.219.55.216Shared certificate w/ WrymSpy
47.242.108_245Shared certificate w/ WrymSpy
47.242.56_232Shared certificate w/ WrymSpy
161.117.253_231Shared certificate w/ WrymSpy
CertificateSHA-256
LightSpyefbfbd517e0727efbfbd48efbfbdd3b8efbfbdc69938efbfbd09efbfbd7cefbfbd3aefbfbd42417c
WrymSpyefbfbd2c41efbfbd012e034a170964efbfbdd68fefbfbd2c0eefbfbd424aefbf bd5e13efbfbd6824
TABLE OF CONTENTS

Introduction

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificates that have been instrumental in identifying its servers.

We’ll examine specific characteristics of the LightSpy network, such as commonly used ports, preferred hosting providers, registration details, and both existing and newly discovered certificates from our scans. This article aims to equip defenders with the information necessary to understand and anticipate the behaviors of the actors behind this operation.

A Quick Refresher

LightSpy is a sophisticated surveillance framework targeting iOS, Android, macOS, and Windows devices, focusing on the Asia-Pacific region. This framework is designed to exfiltrate a wide range of sensitive data from mobile devices, including files, screenshots, detailed location information (such as building floor numbers), voice recordings from WeChat calls, and payment information from WeChat Pay.

Additionally, LightSpy captures data from popular messaging apps like Telegram and QQ Messenger, highlighting its extensive capabilities and significant threat potential.

The following recent blog posts provide a more technical analysis of malware infiltrating networks.

Huntress – “LightSpy Malware Variant Targeting macOS
ThreatFabric – “LightSpy: Implant for macOS
Lookout – “Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41

Overview of LightSpy’s Infrastructure

According to our scans, most of LightSpy's infrastructure is located in China and Hong Kong, with a single server identified in Japan. Topway Global Limited and ChinaNet comprise most of the servers hosting the certificates associated with the framework. Based on our visibility, figure 1 displays a graph highlighting the most popular hosting companies.

We didn’t forget about AndroidControl, also known as WyrmSpy, LightSpy’s reported successor. In the next section, we will cover the certificates behind both LightSpy and AndroidControl in detail.

https://app.hunt.io/images/blogs/lightspy/figure_1_2.webp
Figure 1: Common Hosting Companies in Hunt Platform

LightSpy uses a range of high ports for certificates, typically in the 50k+ range. In contrast, AndroidControl commonly uses port 443 for its control panel and port 3389 for Remote Desktop Protocol (RDP). Both frameworks leverage Nginx servers for their infrastructure, with LightSpy often seen using Nginx version 1.14.0 and AndroidControl using version 1.10.3.

Hunt scans found that ports 51200 and 53501 are the most popular ports for LightSpy.

The top 10 ports are depicted below.

https://app.hunt.io/images/blogs/lightspy/figure_2_2.webp
Figure 2: Most Popular Ports in Hunt

Detecting WyrmSpy was previously as straightforward as searching for web pages that display the HTML title (“AndroidControl v1.0.4”). However, this detection method is not foolproof and is easily changed by the actor(s) administering the server, rendering the query useless.

Like LightSpy, WyrmSpy uses a unique TLS certificate for its control panel. This procedure of using distinct certificates leads to a small number of IP addresses sharing it. While the title and certificate are easily changed, focusing on the latter allows researchers to identify related infrastructure, even if the page is altered or the actor has not yet started using the panel.

At the very least, we can get an idea of the certificate authority (if applicable) preferred by the attacker and the naming conventions used.

https://app.hunt.io/images/blogs/lightspy/figure_3_3.webp
Figure 3: Screenshot of AndroidControl (WrymSpy) HTML Title Panel

Hunt is currently tracking 12 servers presenting the certificate we will discuss below.

Take a look for yourself using the Active C2 Servers feature here.

https://app.hunt.io/images/blogs/lightspy/figure_4_4.webp
Figure 4: Just a Few of the LightSpy IP Addresses Available for Analysis in Hunt

Following the Certificates

We referenced the WyrmSpy certificate multiple times without displaying it. The full self-signed certificate is as follows:

  • C=US
  • ST=State of California
  • O=hxwa
  • OU=John
  • CN=X
  • emailAddress=X3057@gmail.com

If you've been following our blogs, you may recall our post on a cluster of ShadowPad infrastructure that used certificates spoofing the American technology company Dell. In that post, we highlighted several servers with RDP certificates following the "iZ[13 alphanumeric characters]” pattern. Notably, 47.241.218_217, identified as WyrmSpy infrastructure, employs a similar naming convention, as illustrated in Figure 5.

ShadowPad blog post:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

https://app.hunt.io/images/blogs/lightspy/figure_5_5.webp
Figure 5: Certificates used on WrymSpy Server

Unfortunately, the trail ran cold on the above RDP certificate as we could not locate any additional servers using the above naming convention. However, we can pivot on the TLS certificate, which leads us to 5 additional servers worthy of a second look.

https://app.hunt.io/images/blogs/lightspy/figure_6_6.webp
Figure 6: Pivot on AndroidControl TLS Certificate (Try it)

The certificates associated with LightSpy are reminiscent of the AndroidControl (WyrmSpy) names, with some notable differences:

LightSpy Certificate:

While both certificates follow a similar structure, the LightSpy certificate uses an Australian country code (C=AU) and generic organizational details. In contrast, the WyrmSpy certificate uses a US country code (C=US) and more specific, albeit fabricated, organizational information.

Despite these differences, the commonality in their structured format suggests a shared methodology or toolkit used by the threat actors behind both frameworks. This similarity can be a crucial indicator for defenders correlating and tracking related infrastructure more effectively.

https://app.hunt.io/images/blogs/lightspy/figure_7_7.webp
Figure 7: Example of a Short-lived LightSpy Certificate

Recently Seen Domains and Certificates

Once we establish a reliable query that consistently identifies malicious infrastructure, it's crucial not to rely solely on that detection method. Adversaries will likely make subtle server changes to evade detection or even transfer the IP address to another threat actor.

To counter this, we must periodically probe and reassess the identified servers (within reason), tracking changes over time. By doing so, we can proactively respond to these modifications and potentially differentiate between different threat actors using the same IP addresses or networks.

*It is crucial to be as discreet as possible when interacting directly with possible malicious infrastructure. Probing can tip off actors to your presence and expose your network to various attacks.

While investigating these various IPs, we identified a server, 103.43.17_99, that had recently started hosting the LightSpy certificate on port 54600. Additionally, this server hosts another certificate on port 443 issued by ZeroSSL for the domain yycclouds[.]com, which also resolves to this IP address.

https://app.hunt.io/images/blogs/lightspy/figure_8_8.webp
Figure 8: LightSpy Certificate Overlaps with ZeroSSL Certificate

The above domain is registered through GoDaddy and uses domaincontrol.com nameservers. As of the time of writing, there are no subdomains or web pages associated with the yycclouds domain.

Conclusion

In this post, we explored the intricate infrastructure of the LightSpy spyware framework and its successor, WyrmSpy. We highlighted the significance of focusing on TLS certificates and patterns in hosting providers, particularly in the Asia-Pacific region. Understanding these elements, along with critical infrastructure components such as ports, server software, hosting, domain registration, and certificates, allows us to better track and anticipate the evolving tactics of these threat actors.

Sign up for an account with Hunt to stay informed on the latest trends in malicious infrastructure and enhance your defensive capabilities.

Indicators

IP AddressNotes
103.27.109_217LightSpy C2
43.248.136_110LightSpy C2
103.27.109_28LightSpy C2
38.55.97_178LightSpy C2
103.43.17_99LightSpy C2
43.248.136_104LightSpy C2
45.125.34_126LightSpy C2
45.155.220_194LightSpy C2
154.91.196_185LightSpy C2
222.219.183_84LightSpy C2
47.241.218_217WrymSpy C2
8.219.55.216Shared certificate w/ WrymSpy
47.242.108_245Shared certificate w/ WrymSpy
47.242.56_232Shared certificate w/ WrymSpy
161.117.253_231Shared certificate w/ WrymSpy
CertificateSHA-256
LightSpyefbfbd517e0727efbfbd48efbfbdd3b8efbfbdc69938efbfbd09efbfbd7cefbfbd3aefbfbd42417c
WrymSpyefbfbd2c41efbfbd012e034a170964efbfbdd68fefbfbd2c0eefbfbd424aefbf bd5e13efbfbd6824

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.