At the beginning of this year, experts at Kaspersky Lab discovered a large-scale attack like watering hole aimed at Hong Kong residents, during which a multifunctional malware for iOS called LightSpy was installed on victims' smartphones. Such attacks are called by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that came to get drunk. That is, attackers place the malware on some resources that visit the victims they intended.
LightSpy infiltrated victims' smartphones when they visited one of the pages disguised as local news resources. Such fakes were created simply: for example, attackers simply copied the code of these resources, getting ready-made clones of news sites. Links to these sites were distributed through popular forums in Hong Kong.
During a visit to these resources, a whole set of exploits were downloaded to visitors' smartphones, the result of which was the installation of LightSpy itself. In fact, it was enough just to go to the malicious page, and the device was infected without any additional user interaction.
Researchers say that LightSpy is a modular backdoor with which an attacker can remotely execute a variety of commands on an infected device. For example, it can determine the location of a smartphone, get a list of contacts and call history, see which Wi-Fi networks the victim connected to, scan a local network and send data about all detected IP addresses to the server. In addition, while experts watched what was happening, the backdoor had additional modules for stealing information from Keychain, data from WeChat, QQ and Telegram instant messengers, as well as browser history from Safari and Chrome.
At the same time, it is reported that the operators of this campaign, which the researchers call the TwoSail Junk group, did not use the zero-day vulnerabilities, but the so-called first-day vulnerabilities, that is, recently discovered problems, patches to which were released recently and were included only in the latest system updates. Thus, owners of smartphones running iOS 12.1 and 12.2 were at risk (the problem affects models from iPhone 6s to iPhone X).
Also, while analyzing the infrastructure related to the distribution of implants for iOS, experts found a link pointing to malware for Android. According to analysts, at the end of November 2019, this link was distributed via the Winuxhk and brothersisterfacebookclub Telegram channels, as well as through Instagram posts with bait in Chinese.
It is worth saying that Trend Micro specialists also prepared their own report on this campaign. They called this scheme Operation Poisoned News and they write that the attacks were not aimed at specific users, but attacked site visitors in general.
Trend Micro experts report that in their exploit chain, attackers used a recently fixed bug in Safari, which does not have a CVE identifier, and used a custom exploit to gain root privileges for a kernel vulnerability. CVE-2019-8605that Apple eliminated in the summer of 2019.
Specialists from both companies associate the activities of TwoSail Junk with the larger Chinese hack band Spring Dragon, also known as Lotus Blossom and Billbug (Thrip). This group, in particular, is responsible for creating such a malvari as Lotus Elise and Evora.