Operation Poisoned News, TwoSail Junk
Description
(Kaspersky) A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Since the initial activity, we released two private reports exhaustively detailing spread, exploits, infrastructure and LightSpy implants.
We are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Lotus Blossom, Spring Dragon, Thrip, known for their Lotus Elise and Evora backdoor malware. Considering that this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies.
Names
| Name | Name-Giver |
|---|---|
| Operation Poisoned News | Trend Micro |
| TwoSail Junk | Kaspersky |
Country
Motivation
- Information theft and espionage
First Seen
2020
Observed Countries
Tools
Information
- https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/
- https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
Other Information
Uuid
e9cf8d80-c883-40ef-a5eb-907db5b0e4b0
Last Card Change
2020-05-01