Skip Navigation
BlackBerry Blog

LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign

Summary

In April 2024, BlackBerry identified a significant evolution in the LightSpy malware campaign, demonstrating enhanced capabilities and advanced data theft mechanisms. The threat actor behind LightSpy, who we believe with a high level of confidence is associated with Chinese cyber-espionage group APT41, has now expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.

Threat Overview

  •  A new modular malware framework (DeepData v3.2.1228)
  • 12 specialized plugins for comprehensive data theft
  • Enhanced cross-platform surveillance capabilities
  • Sophisticated command-and-control infrastructure
  • Strategic targeting of communications platforms

Critical Capabilities

Our new finding demonstrates extended depth and breadth in data collection:

Communication Surveillance:

  • Unauthorized infiltration of major messaging platforms (WhatsApp, Telegram, Signal, WeChat)
  • Email monitoring (Outlook)
  • Corporate communication tools (DingDing, Feishu)

Credential Theft:

  • Browser credentials and history
  • Application passwords
  • Network authentication data
  • Password manager targeting (KeePass)

System Intelligence:

  • Detailed system information collection
  • Network configuration harvesting
  • installed software inventory
  • Audio recording capabilities

What is LightSpy Spyware?

LightSpy is an advanced espionage tool that was discovered in early 2020. It is a sophisticated, modular, surveillance-oriented toolkit for stealing sensitive information from victims, focusing on the Asia-Pacific region.

Its modular structure utilizes multiple plugins to track the victim. Each plugin is responsible for a different functionality aspect, such as access to the microphone, browser, or geolocation. The plugins are also designed to extract information about the device and files stored on it, including data from private messaging apps such as Telegram and WeChat.

Who is APT41?

APT41 (also known as Double Dragon) is a high-profile and highly prolific cyber-espionage group with alleged ties to the Chinese Ministry of State Security (MSS). First seen in 2012 attacking developers working in the video-game industry, the group soon expanded its reach to target high-tech firms, including media. In more recent years, the group’s digital tendrils have extended from intelligence gathering into further areas of government interest, including healthcare, education, telecommunications, and technology.

Technical Analysis

During our ongoing investigation into LightSpy and the associated advanced Android surveillance spyware WyrmSpy (also attributed to APT41), BlackBerry’s cyber threat intelligence team discovered an interesting file — deepdata.zip — being hosted by APT41’s C2.  

This file contained an additional four files, shown below in Figure 1:

Figure 1: Deepdata.zip contents.

Localupload.exe is a simple program that allows the user to upload a directory of files to a remote host.

Figure 2: localupload.exe usage.

Data.dll decrypts mod.dat and loads an espionage tool we have named DeepData, due to the file name given to it by the threat actor. DeepData has a similar layout to its related malware/spyware, LightSpy; a core module, frame.exe in this case, and many plugins.

Data.dll is has been observed looking for the following DLL files. Of these, 11 are listed as plugins by the C2 API:

  • appdata.dll - plugin
  • Audio.dll - plugin
  • ChatIndexDB.dll - plugin
  • ffmpeg.dll
  • frame.dll
  • iumdll.dll
  • OutlookX32.dll - plugin
  • Pass.dll - plugin
  • ProductList.dll - plugin
  • SocialSoft.dll - plugin
  • SystemInfo.dll - plugin
  • Tdm.dll - plugin
  • Telegram.dll
  • ucrtbase.enclave.dll
  • WebBrowser.dll - plugin
  • wifiList.dll - plugin

A handy readme.txt file included with DeepData demonstrates use of the stealer with manual execution, via the file rundll32.exe. The C2 address is also specified as a command line argument, as are the requested plugins to be run or data to extract. The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution.

As such, we currently believe that this tool is run by the actor post exploitation.  

Detailed Technical Analysis:

DeepData Core

DeepData (conveniently for us) comes with a readme.txt:

Figure 3: Readme.txt for DeepData.

Many of the plugin program database (PDB) strings imply that this is version 2 of DeepData:

Figure 4: Plugin PDB strings.

Meanwhile, strings in frame.exe, decrypted from mod.dat, imply that the current version number is 3.2.1228.

Figure 5: DeepData version string showing current version number.
 

MD5

SHA256

b9129d83af902908fa7757e906ec0afe

666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724

ITW File Name

Data.dll

Compilation Stamp

2024-03-19 3:47:44

File Type/Signature

PE32 DLL

File Size

186880 bytes

PDB Path

D:\Code\OtherWork\DeepDataH\bin\data.pdb


DeepData has support for a wide range of Windows versions. To deliver the correctly compiled plugin version, the following Windows versions are checked:

Figure 6: DeepData’s supported Windows versions.

MD5

SHA256

0f0fadd0546734c5c82f3c33d8268046

cf59cd171270ec9bc2baf618838eb57802cc9d48f64205da308406811dd4da92

ITW File Name

Frame.exe

Compilation Stamp

2024-02-27 02:04:24

File Type/Signature

PE32 executable (console) Intel 80386, for MS Windows

File Size

741280 bytes

PDB Path

D:\tmpWork\deepdata-v2\deepdata\bin\frame.pdb

Version

3.2.1228


Plugins

Figure 7. DeepData plugins overview.

The plugin files all have a similar export functionality. All plugins contain exports for their version, name, command ID, and command execution.

Figure 8: DeepData plugin exports.

Appdata Plugin

MD5

SHA256

7efb1bc15ee6e3043f8eaefcf3f10864

ac7e20d4ddccc5e249ff0c1a72e394f9c1667a896995cf55b97b4f9fbf5de2fd

ITW File Name

appdata.dll

Compilation Stamp

2024-01-15 11:26:12

File Type/Signature

PE32 DLL

File Size

16546816 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\appdata\Release\appdata.pdb

(*The Chinese characters in the PDB Path shown above roughly translate as “secret.”)

The appdata plugin contains multiple binaries in its resource section which are used for collecting data from instant messaging clients. The plugin attempts to access applications such as:

  • WxWorks – A real-time operating system (RTOS) used by developers, designed for use in embedded systems.
  • FeiShu – An enterprise collaboration platform developed by ByteDance, a Chinese Internet technology company.
  • Signal an open-source, encrypted messaging service for instant messaging, voice calls, and video calls, based in the U.S..
  • WhatsApp – An instant messaging and voice-over-IP (VoIP) service owned by U.S.-based technology conglomerate Meta.

This application technically copies the functionality of the ChatIndexedDb.dll plugin in many ways. The difference is that it tries to access more applications. Perhaps the threat actor, having extended the functionality of this plugin appdata.dll, decided to use it in an attempt to access more applications, since ChatIndexedDb.dll targets only two apps.

We are basing this hypothesis on the fact that ChatIndexedDb.dll was compiled in October 2023, when the appdata.dll was built in early January 2024.

The appdata.dll plugin contains two executable libraries: WhatsApp.dll, and Signal.dll. These libraries will be launched when the plugin is running. WhatsApp.dll is essentially a copy of the library included in ChatIndexedDb.dll.

MD5

SHA256

d66776ee123ef2947bc3175653a68d05

ccfd6ef35c718e2484b3727035d162b667f4b56df43324782d106f50ed1e3bcc

ITW File Name

WhatsApp.dll

Compilation Stamp

2024-01-06 07:52:25

File Type/Signature

PE64 DLL

File Size

10225664 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\appdata\Release\Whatsapp.pdb

 

MD5

SHA256

ea47fd87c1b109d5fd529c213aea6b30

37a1ffaba2e3ea9a7b2aa272b0587826cc0b5909497d3744ec8c114b504d2544

ITW File Name

Signal.dll

Compilation Stamp

2024-01-04 2:49:18

File Type/Signature

PE64 DLL

File Size

3003904 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\appdata\Release\signal.pdb

 

Figure 9: Code that unloads data from different messengers.

Appdata also contains X509 certificates for Windows Phone.

Figure 10: X509 Certificates in appdata.dll.

SystemInfo Plugin

MD5

SHA256

8625c0cf0748d04d43db54884ee13672

213520170fc7113ac8f5e689f154f5c8074dd972584b56d820c19d84b7e5b477

ITW File Name

SystemInfo.dll

Compilation Stamp

2023-10-26 11:37:28

File Type/Signature

PE32 DLL

File Size

458240 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\SystemInfo\Release\SystemInfo.pdb


This plugin (SystemInfo.dll) is designed to collect information on the user's system. It can collect the following information about a user and then send it back to a server that is controlled by the threat actor:

  • Information about the processes running on the system, including paths to the executable files running in the system.
  • Data about user accounts in the system.
  • Network connection information including active port numbers.
  • Information about running services on the system.
  • List of drivers installed on the system, including their version and developer name.

wifiList Plugin

MD5

SHA256

4b9aa7d571be1a6ec62931c4c6624328

460f1a00002e1c713a7753293b4737e65d27d0b65667b109d66afca873c23894

ITW File Name

wifiList.dll

Compilation Stamp

2022-08-19 11:29:45

File type/Signature

PE32 DLL

File Size

1240576 bytes

PDB Path

E:\zyx\dll\Dll1\Debug\wifiList.pdb


This plugin (wifiList.dll) is designed to collect information about wireless networks to which the user's device is connected, and save it in the file "WifiList.json." It also collects the list of keys to connect to wireless networks to which the user's device is connected, and saves them in the file "wifiKey.json." The plugin also collects the list of available networks for the victim's device.

After collecting all of this information, the plugin sends these two files to the threat actor’s server.

WebBrowser Plugin

MD5

SHA256

7529f56dde7a8302947982c43080bfcc

b523cdd1669dbd7ab68b43fd20f30a790ec0351876a0610958b9405468753a10

ITW File Name

WebBrowser.dll

Compilation Stamp

2023-11-16 09:03:55

File Type/Signature

PE32 DLL

File Size

741280 bytes

PDB Path

D:\tmpWork\deepdata-v2\deepdata\bin\x86\WebBrowser.pdb


This plugin (WebBrowser.dll) collects sensitive user information such as cookies, browsing history, passwords, and autocomplete data from popular browsers (Chrome, Firefox, Edge, Opera). It interacts with local browser databases, retrieving data via SQL queries and standard file paths, and processes it by applying cryptographic algorithms for decoding and hashing. At the same time, the plugin also contains error-handling modules to ensure stable operation.

Pass Plugin

MD5

SHA256

6ce2477efe7e853cea90764db5a64e6e

041c13a29d3bee8d2e4bd9d8bde8152b5ac8305c1efcc198244b224e33635282

ITW File Name

Pass.dll

Compilation Stamp

2023-10-27 08:55:22

File type/
Signature

PE32 DLL

File Size

3589632 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\Pass\Release\Pass.pdb


This plugin (Pass.dll) attempts to collect account information as well as passwords from the following applications:

  • BaiduNetDisk – A cloud storage service provided by Baidu, Inc., headquartered in Beijing.
  • QQ An instant messaging software service and web portal developed by the Chinese technology company Tencent.
  • FoxMail A freeware email client also developed by Tencent.
  • MailMaster – An AI-powered email assistant.
  • OneDrive – A file-hosting service operated by Microsoft.

This plugin also contains libraries of the "KeeFarce" project, which allows the unauthorized extraction of KeePass 2.x password database information from memory. The libraries are:

  • KeeFarce.dll
  • Bootstrap.dll

Using these libraries, the plugin attempts to extract passwords and other information from the KeePass application installed on the victim's device. The plugin then sends all collected data to a remote server controlled by the threat actor.  

OutlookX32 Plugin

MD5

SHA256

fb99f5da9c0c46c27e17dc2dc1e162d7

2bfb82a43bb77127965a4011a87de845242b1fb98fd09085885be219e0499073

ITW File Name

OutlookX32.dll

Compilation Stamp

2024-02-27 02:04:24

File type/
Signature

PE32 executable

File Size

774656 bytes

PDB Path

G:\xmh_miqu_key\xmh\密\outlook\outlook_2022.12.14\OUTLOOK\Bin\OutlookX32.pdb


This plugin (OutlookX32.dll) is designed to steal information from Microsoft’s Outlook application. The plugin attempts to access the following information:

  • User emails
  • Mail folders in the Outlook client
  • User's contact list

ProductList Plugin

MD5

SHA256

48f8b7e0db439336549b93bda8633cd2

724351b5cc9ad496a6c9486b8ef34772f640590a90293f913f005e994717134b

ITW File Name

ProductList.dll

Compilation Stamp

2023-10-20 13:24:30

File Type/
Signature

PE32 DLL

File Size

2273280 bytes

PDB Path

E:\zyx\dll\ProductList\Debug\ProductList.pdb


This plugin is designed to collect information about installed applications on the system. It can collect the applications' names and installation paths and transmit them to a server controlled by the threat actor.

SocialSoft Plugin

MD5

SHA256

4b9aa7d571be1a6ec62931c4c6624328 c3995f28476f7a775f4c1e8be47c64a300e0f16535dc5ed665ba796f05f19f73

ITW file name

SocialSoft.dll

Compilation stamp

2023-10-13 11:35:41

File type/Signature

PE32 DLL

File size

1240576 bytes

PDB Path

D:\tmpWork\deepdata-v2\deepdata\bin\x86\SocialSoft.pdb


This plugin (SocialSoft.dll) is designed to allow unauthorized access to the following applications:

  • WeChat A Chinese instant messaging, social media, and mobile payment app developed by Tencent.
  • DingDing One of the largest mobile enterprise communication and collaboration apps in China, with over 100 million users.
  • Telegram – A cloud-based, cross-platform, social media and instant messaging service.
  • Feishu – An enterprise collaboration platform developed by ByteDance, a Chinese Internet technology company.
  • QQ – An instant messaging software service and web portal developed by the Chinese technology company Tencent.
  • Skype – An IP-based videotelephony, videoconferencing and voice call service developed by Microsoft.

The plugin attempts to access messages and data stored in application directories. If message theft succeeds, the plugin packages the messages and sends them to a server controlled by the threat actor.

Audio Plugin

MD5

SHA256

d521bf0f24c839e7ceb5db77de090fbc

55e2dbb906697dd1aff87ccf275efd06ee5e43bb21ea7865aef59513a858cf9f

ITW File name

Audio.dll

Compilation Stamp

2023-07-08 8:51:34

File type/
Signature

PE32 DLL

File Size

7405056 bytes

PDB Path

C:\Users\GT1\source\repos\Audio_miqu\Release\Audio.pdb


This plugin (Audio.dll) is designed to record the audio environment with a microphone on the target system device. At runtime, the plugin extracts another executable library (audio.core.dll) from its body that is packaged by the UPX packer.

 Unpacked sample audio.core.dll:

MD5

SHA256

3b61d82be05f18754238e26b835da103

b79629e820cdd36d0daed964a2c0338e125a1f90f08e226f52dc60070747c62e

ITW File Name

audio.core.dll

Compilation Stamp

2023-07-08 7:43:13

File Type/
Signature

PE32 DLL

File Size

17922560 Bytes (17 MiB)

PDB Path

C:\Users\GT1\source\repos\Audio_miqu\Release\audio.core.pdb


This plugin uses open-source libraries called FFmpeg 4.3.5 to record audio. The plugin records audio in Advanced audio Encoding (.aac) format and saves the recording to a %temp% folder. AAC is an audio coding standard for lossy digital audio compression. It achieves higher sound quality than MP3 at the same bit rate.

Along with the command to record audio, the plugin will receive the audio recording duration in seconds. After the recording is complete, the audio file will be transferred to a server controlled by the threat actor.

Figure 11: The code of the plugin that starts the sound recording.

ChatIndexedDb Plugin

MD5

SHA256

4b9aa7d571be1a6ec62931c4c6624328

88e5ca44189dabb4cec8a183f6268a42f3f92b2c6d7c722d7f55efd3dc5334c8

ITW File Name

ChatIndexedDb.dll

Compilation Stamp

2023-10-26 10:23:30

File type/
Signature

PE32 DLL

File Size

9354240 bytes

PDB Path

G:\xmh_miqu_key\xmh\密取\ChatIndexedDb\Release\ChatIndexedDb.pdb


This plugin is used by a threat actor to monitor the WhatsApp and Zalo apps installed on Windows. Zalo is a mobile messaging app that is most popular in Vietnam, with an 82% usage rate in 2024, and 77.6 million monthly active users. The plugin will attempt to copy all application data from these apps. It also monitors the data shared by the user in private chats with their other contacts.

It additionally contains the WhatsApp.dll library in its body, which is specially designed to steal data and messages from the WhatsApp application. If the data theft is successful, the plugin packs the data and sends it to a server controlled by the threat actor.

WhatsApp.dll Library

MD5

SHA256

847ec30a4ff2391f1eb7669c22940e51

735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0

ITW File Name

WhatsApp.dll

Compilation Stamp

2023-10-23 03:14:00

File Type/
Signature

PE32 DLL

File Size

8998400 bytes

PDB Path

E:\xmh\密取\appdata\Release\Whatsapp.pdb

 

Figure 12: A plugin that uploads WhatsApp data.                                               

Tdm Plugin

MD5

SHA256

bdd8926f4be6576653ac96ee732d587a

efff4106cfd21a356b13a5a99c626a4f103f03b9491c0f1f5e135c1e3c84e76c

ITW File Name

Tdm.dll

Compilation Stamp

2023-12-05 6:58:05

File type/
Signature

PE64 DLL

File Size

214016 bytes

PDB Path

D:\Code\project\MiQuH\MiQuH\Release\Tdm.pdb


This plugin downloads a library called Telegram.dll and injects it into the address space of the “Telegram for Windows” application. This plugin attempts to copy all the information in the user's chats, including contacts, messages, images, audio, and video. If the copying is successful, the plugin sends the data to a server controlled by the threat actor.

MD5

SHA256

e79da1e448c60e12d835b47735f9da03 a560931baa404189257ec9cbcc2b9449c579018218cc1d70c99b1d36dd292a0e

ITW File Name

Telegram.dll

Compilation Stamp

2024-02-20 02:24:09

File Type/
Signature

PE64 DLL

File Size

7098336 bytes

PDB Path

D:\CodeS\compile\tg471\tdesktop\out\Release\Telegram.pdb

 

Figure 13: The code that injects the Telegram.dll library into the Telegram for Widows process.

Network Infrastructure

The front-end application programming interface (API) of APT41’s LightSpy implant has an endpoint called cmd_list at the uri /ujmfanncy76211/front_api/cmd_list. This dumps a json blob containing all of the supported commands for a given C2 deployment.

Below is a list of all commands with Windows in the supported operating system (OS) values. It is noteworthy that “Windows Keylogger” is new as of the middle of October 2024.

Command ID

Action

10015

Upload Log

10900

Get the basics

11001

Get the basics

12001

Wechat

12002

WeChat contact

12003

WeChat Groups

12004

WeChat text message

12005

WeChat File Message

13001

Single Positioning

14001

Default Browser History

14101

Browser password

14102

Browser History

14103

If a browser cookie

16001

Access to software

16002

Get process

16003

Software Account

16006

Get process information

17001

Wifi connected

17002

Peripheral wifi

19004

Screen Recording

43001

Get the basics of windows

43002

Windows keylogger

25001

QQ Account

25002

QQ Contact

25003

QQ Group

25004

QQ text message

25005

QQ File Message

26001

Telegram Account

26002

Telegram Contacts

26003

Telegram Group

26004

Telegram Text Messages

26005

Telegram File Message

27001

Get a WhatsApp account

27002

Get WhatsApp contacts

27003

Get WhatsApp Groups

27004

Get WhatsApp text messages

27005

Get WhatsApp file information

28001

Get a line account

28002

Get line contacts

28003

Get line group

28004

Get line text information

28005

Get line file information


Researchers at Hunt.io published a great writeup on tracking LightSpy and WyrmSpy C2. Internet intelligence-based threat hunting platform Censys even implemented resource identifiers for both LightSpy and WyrmSpy.

A new SSL certificate is being used on some of the C2 servers: C=CN, ST=BJ, L=BJ, O=Company, emailAddress=admin[at]zb.com.

At the time of writing, four of the 10 systems online using this certificate are LightSpy C2s. Many of these C2s have a login page at the uri /qazxswedcvfr/login. Both LightSpy and WyrmSpy C2s have been seen hosting this certificate and login page. The favicon indicates use of the open-source Vue JavaScript framework, which is in line with previous web interfaces created for or by this developer.

Figure 14. Page to login to the C2 control panel.

DeepData is hosted on C2 utilizing this certificate on port 28992 for the plugin server, and port 28993 for command-and-control.

Figure 15: Network locations from deepdata’s config.json.

Another new SSL certificate is shared by a single WyrmSpy C2:

Subject: O=https Project, CN=httpsServer
            Issuer: O=https Project Certificate Authority

This certificate is only utilized by three servers also hosted on the same ASN as many of the LightSpy and WyrmSpy C2s.

IP

SSL Certificate

45[.]155[.]220[.]79

LightSpy

45[.]155[.]220[.]194

LightSpy

45[.]125[.]34[.]126

LightSpy

43[.]248[.]136[.]215

LightSpy

43[.]248[.]136[.]110

LightSpy, admin[at]zb.com

43[.]248[.]136[.]104

LightSpy

38[.]55[.]97[.]178

LightSpy

222[.]219[.]183[.]84

LightSpy

203[.]83[.]9[.]62

admin[at]zb.com

203[.]83[.]9[.]60

admin[at]zb.com

203[.]83[.]10[.]112

https Project

202[.]43[.]239[.]13

admin[at]zb.com

154[.]91[.]196[.]185

LightSpy

119[.]147[.]213[.]48

WyrmSpy, admin[at]zb.com, https Project

118[.]195[.]234[.]243

LightSpy

103[.]43[.]18[.]95

admin[at]zb.com

103[.]43[.]18[.]22

admin[at]zb.com

103[.]43[.]17[.]99

LightSpy

103[.]27[.]109[.]28

LightSpy, admin[at]zb.com

103[.]27[.]109[.]217

LightSpy, admin[at]zb.com

103[.]27[.]108[.]122

admin[at]zb.com, https Project

207[.]148[.]77[.]93

WyrmSpy

 

SSL Certificate

sha256 fingerprint

LightSpy

c0d4517e0727e94887d3b8a2c6c69938930995a8bcf37c9dafbd3a86b042417c

WyrmSpy

f0fc2c418e012e034a170964c0d68fee2c0efe424a90b0f4c4cd5e13d1e36824

admin[at]zb.com

2cede95138f60dfaee4aa3538962ca2ab7dada376dd3977d56e0e6e208001a73

https Project

4fd541e0c899260511c5c0ebd5ccaa134078d50d268a35af60e22422673c48ee


Threat Actor Analysis: LightSpy Timeline Context

Pre-2022

  • Initial development of LightSpy malware
  • Early targeting and deployment phases
  • Establishment of basic infrastructure

2022

August 19, 2022

  • Compilation of wifiList.dll plugin
  • Initial development of network reconnaissance capabilities

2023

July 2023

  • July 8: Compilation of Audio.dll (7:43:13 UTC)
  • July 8: Compilation of audio.core.dll with FFmpeg 4.3.5 integration (8:51:34 UTC)

October 2023

  • October 13: Compilation of SocialSoft.dll (11:35:41 UTC)
    • Introduction of social media monitoring capabilities
    • Unauthorized infiltration of WeChat, DingDing, Telegram, Feishu, QQ, and Skype
  • October 20: Compilation of ProductList.dll (13:24:30 UTC)
    • Application enumeration functionality added
  • October 23: Initial WhatsApp.dll compilation (03:14:00 UTC)
  • October 26: Multiple component updates
    • SystemInfo.dll compilation (11:37:28 UTC)
    • ChatIndexedDb.dll compilation (10:23:30 UTC)
    • Enhanced messaging platform surveillance capabilities
  • October 27: Compilation of Pass.dll (08:55:22 UTC)
    • Integration of password stealing capabilities
    • Implementation of KeePass targeting functionality

November 2023

  • November 16: Compilation of WebBrowser.dll (09:03:55 UTC)
    • Browser credential theft capabilities added

December 2023

  • December 5: Compilation of Tdm.dll (06:58:05 UTC)
    • Telegram-specific monitoring capabilities introduced

2024

January 2024

  • January 4: Compilation of Signal.dll (02:49:18 UTC)
    • Signal messenger monitoring capability added
  • January 6: Updated WhatsApp.dll compilation (07:52:25 UTC)
  • January 15: Compilation of appdata.dll (11:26:12 UTC)
    • Enhanced data collection capabilities
    • Integration with multiple messaging platforms

February 2024

  • February 27: Multiple significant updates
    • Compilation of Frame.exe (02:04:24 UTC)
    • Compilation of OutlookX32.dll (02:04:24 UTC)
    • Implementation of email surveillance capabilities

March 2024

  • March 19: Compilation of Data.dll (03:47:44 UTC)
    • Core component of DeepData framework

April 2024

  • Mid-October: Introduction of new "Windows Keylogger" functionality
    • Identification of new SSL certificates in use
    • Discovery of expanded C2 infrastructure
       

Infrastructure Evolution

Current Active C2 Infrastructure

  • 22 identified C2 servers across multiple ASNs
  • Implementation of new SSL certificates:
    • Certificate with admin[at]zb.com
    • Certificate from "https Project"
    • Deployment of Vue Javascript-based control panel
    • Implementation of specialized login pages at /qazxswedcvfr/login
       

Key Observations

Development Acceleration

  • Intense development period from October 2023 to April 2024
  • Significant expansion of capabilities and modules
  • Regular updates and improvements to core components

Capability Evolution

  • Progressive addition of new messaging platform support
  • Enhanced data collection capabilities
  • Improved stealth and persistence mechanisms

Infrastructure Development

  • Continuous expansion of C2 infrastructure
  • Implementation of new security certificates
  • Enhanced operational security measures

Operational Sophistication

  • Module-based development approach
  • Regular updates to core components
  • Strategic timing of capability rollouts


Conclusions

Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering. Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access.

The sophisticated modular architecture, comprehensive surveillance capabilities, and robust infrastructure detailed in this report suggest a well-resourced and technically proficient threat actor with strategic objectives.

Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures. The continued evolution of tools like DeepData indicates a persistent threat that will likely expand in both capability and scope as time goes on.

Victimology

Based on the victims that the threat actor hiding behind LightSpy has targeted in the past, and also based on the applications DeepData attempts to access, we believe that the intended targets are located in Southeast Asia, and, with a medium degree of probability, can be associated with political activists, politicians and journalists.

Countermeasures

BlackBerry customers are protected against the DeepData IoCs listed in this blog post by endpoint protection solutions such as CylanceENDPOINT™. CylanceENDPOINT leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.

Recommendations for Defenders

  1. Block identified command-and-control infrastructure.
  2. Monitor network and devices for unauthorized audio recording activities.
  3. Use secure communications platforms for business sensitive data.
  4. Deploy detection rules for DeepData components.
  5. Review logs for indicators of compromise (IoCs).
  6. Assess exposure of sensitive communication channels.
     

APPENDIX 1 – IoCs (Indicators of Compromise)

Name

 

Data.dll

 

Name

Md5

Sha256

Data.dll

b9129d83af902908fa7757e906ec0afe

666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724

Name

Md5

Sha256

Frame.exe

0f0fadd0546734c5c82f3c33d8268046

cf59cd171270ec9bc2baf618838eb57802cc9d48f64205da308406811dd4da92

Name

Md5

Sha256

Tdm.dll

bdd8926f4be6576653ac96ee732d587a

efff4106cfd21a356b13a5a99c626a4f103f03b9491c0f1f5e135c1e3c84e76c

Name

Md5

Sha256

ChatIndexedDb.dll

4b9aa7d571be1a6ec62931c4c6624328

88e5ca44189dabb4cec8a183f6268a42f3f92b2c6d7c722d7f55efd3dc5334c8

Name

Md5

Sha256

Audio.dll

d521bf0f24c839e7ceb5db77de090fbc

55e2dbb906697dd1aff87ccf275efd06ee5e43bb21ea7865aef59513a858cf9f

Name

Md5

Sha256

SocialSoft.dll

4b9aa7d571be1a6ec62931c4c6624328

c3995f28476f7a775f4c1e8be47c64a300e0f16535dc5ed665ba796f05f19f73

Name

Md5

Sha256

ProductList.dll

48f8b7e0db439336549b93bda8633cd2

724351b5cc9ad496a6c9486b8ef34772f640590a90293f913f005e994717134b

Name

Md5

Sha256

OutlookX32.dll

fb99f5da9c0c46c27e17dc2dc1e162d7

2bfb82a43bb77127965a4011a87de845242b1fb98fd09085885be219e0499073

Name

Md5

Sha256

Pass.dll

6ce2477efe7e853cea90764db5a64e6e

041c13a29d3bee8d2e4bd9d8bde8152b5ac8305c1efcc198244b224e33635282

Name

Md5

Sha256

WebBrowser.dll

7529f56dde7a8302947982c43080bfcc

b523cdd1669dbd7ab68b43fd20f30a790ec0351876a0610958b9405468753a10

Name

Md5

Sha256

SystemInfo.dll

8625c0cf0748d04d43db54884ee13672

213520170fc7113ac8f5e689f154f5c8074dd972584b56d820c19d84b7e5b477

Name

Md5

Sha256

appdata.dll

7efb1bc15ee6e3043f8eaefcf3f10864

ac7e20d4ddccc5e249ff0c1a72e394f9c1667a896995cf55b97b4f9fbf5de2fd

Name

Md5

Sha256

wifiList.dll

4b9aa7d571be1a6ec62931c4c6624328

460f1a00002e1c713a7753293b4737e65d27d0b65667b109d66afca873c23894

Name

Md5

Sha256

WhatsApp.dll

d66776ee123ef2947bc3175653a68d05

ccfd6ef35c718e2484b3727035d162b667f4b56df43324782d106f50ed1e3bcc

Name

Md5

Sha256

WhatsApp.dll

847ec30a4ff2391f1eb7669c22940e51

735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0

Name

Md5

Sha256

Signal.dll

ea47fd87c1b109d5fd529c213aea6b30

37a1ffaba2e3ea9a7b2aa272b0587826cc0b5909497d3744ec8c114b504d2544

Name

Md5

Sha256

audio-core.dll

3b61d82be05f18754238e26b835da103

b79629e820cdd36d0daed964a2c0338e125a1f90f08e226f52dc60070747c62e

Name

Md5

Sha256

Telegram.dll

e79da1e448c60e12d835b47735f9da03

a560931baa404189257ec9cbcc2b9449c579018218cc1d70c99b1d36dd292a0e

PDB Path

D:\Code\OtherWork\DeepDataH\bin\data.pdb

D:\tmpWork\deepdata-v2\deepdata\bin\frame.pdb

G:\xmh_miqu_key\xmh\密取\appdata\Release\appdata.pdb

G:\xmh_miqu_key\xmh\密取\appdata\Release\Whatsapp.pdb

G:\xmh_miqu_key\xmh\密取\appdata\Release\signal.pdb

G:\xmh_miqu_key\xmh\密取\SystemInfo\Release\SystemInfo.pdb

E:\zyx\dll\Dll1\Debug\wifiList.pdb

D:\tmpWork\deepdata-v2\deepdata\bin\x86\WebBrowser.pdb

G:\xmh_miqu_key\xmh\密取\Pass\Release\Pass.pdb

G:\xmh_miqu_key\xmh\密\outlook\outlook_2022.12.14\OUTLOOK\Bin\OutlookX32.pdb

E:\zyx\dll\ProductList\Debug\ProductList.pdb

D:\tmpWork\deepdata-v2\deepdata\bin\x86\SocialSoft.pdb

C:\Users\GT1\source\repos\Audio_miqu\Release\Audio.pdb

C:\Users\GT1\source\repos\Audio_miqu\Release\audio.core.pdb

G:\xmh_miqu_key\xmh\密取\ChatIndexedDb\Release\ChatIndexedDb.pdb

E:\xmh\密取\appdata\Release\Whatsapp.pdb

D:\Code\project\MiQuH\MiQuH\Release\Tdm.pdb

D:\CodeS\compile\tg471\tdesktop\out\Release\Telegram.pdb

Network Indicators

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/WebBrowser[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/localupload[.]exe

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Tdm[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/OutlookX32[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/WebBrowser[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Tdm[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/SocialSoft[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/Audio[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/ProductList[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/frame[.]dll

119[.]147[.]213[.]48:28992/asdgdsfdsfasd/data[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SystemInfo[.]dll      

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SocialSoft[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/appdata[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/ChatIndexedDb[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SocialSoft[.]dll

202[.]43[.]239[.]13:28992/asdgdsfdsfasd/appdata[.]dll

103[.]255[.]176[.]176:28992/ asdgdsfdsfasd/Telegram[.]dll

 

APPENDIX 2 – Applied Countermeasures

Yara Rules

rule DeepData_Spy_tool {

meta:
    description = "Rule to detect LightSpy-DeepData Windows files"
    author = "The BlackBerry Research and Intelligence Team"
    last_modified = "2024-11-12"
    version = "1.0"

strings:
    $a1 = {78 6d 68 5f 6d 69 71 75 5f 6b 65 79 5c 78 6d 68 5c e5 af 86} // \xmh_miqu_key\xmh\密
    $a2 = "CodeS\\compile\\tg471\\desktop" ascii wide
    $a3 = "zyx\\dll\\ProductList\\Debug" ascii wide
    $a4 = "Users\\GT1\\source\\repos\\Audio_miqu" ascii wide
    $a5 = "\\Code\\OtherWork\\DeepDataH\\" ascii wide
    $a6 = "\\tmpWork\\deepdata-v2\\deepdata" ascii wide
    $a7 = "\\Code\\project\\MiQuH\\MiQuH" ascii wide
    $b1 = "WiFi Tool ExecuteCommand without" ascii wide
    $b2 = "\\zyx\\dll\\Dll1\\Debug" ascii wide

condition:
    uint16(0) == 0x5a4d and (filesize < 25000KB) and ((any of ($a*)) or (all of ($b*)))}


Suricata Rules

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Blackberry CTI - APT41 DeepData qweasdzxc api request"; flow:established,to_server; content:"qweasdzxc/api/"; http_uri; classtype:command-and-control; sid:1; rev:1; metadata:created_at 2024_11_11;)


Django Debugging Dump From DeepData API Endpoint

qweasdzxc/api/ ^user/$ [name='user-list']
qweasdzxc/api/ ^user/change_password/$ [name='user-change-password']
qweasdzxc/api/ ^user/clear/$ [name='user-clear']
qweasdzxc/api/ ^user/group_permission/$ [name='user-group-permission']
qweasdzxc/api/ ^user/info/$ [name='user-info']
qweasdzxc/api/ ^user/load_all/$ [name='user-load-all']
qweasdzxc/api/ ^user/update_state/$ [name='user-update-state']
qweasdzxc/api/ ^user/(?P<pk>[^/.]+)/$ [name='user-detail']
qweasdzxc/api/ ^sys_log/$ [name='syslog-list']
qweasdzxc/api/ ^sys_log/clear/$ [name='syslog-clear']
qweasdzxc/api/ ^sys_log/load_all/$ [name='syslog-load-all']
qweasdzxc/api/ ^sys_log/(?P<pk>[^/.]+)/$ [name='syslog-detail']
qweasdzxc/api/ ^log/$ [name='log-list']
qweasdzxc/api/ ^log/clear/$ [name='log-clear']
qweasdzxc/api/ ^log/load_all/$ [name='log-load-all']
qweasdzxc/api/ ^log/serial_del/$ [name='log-serial-del']
qweasdzxc/api/ ^log/(?P<pk>[^/.]+)/$ [name='log-detail']
qweasdzxc/api/ ^file/$ [name='file-list']
qweasdzxc/api/ ^file/add_upsert_file/$ [name='file-add-upsert-file']
qweasdzxc/api/ ^file/celery_start_file/$ [name='file-celery-start-file']
qweasdzxc/api/ ^file/celery_status/$ [name='file-celery-status']
qweasdzxc/api/ ^file/clear/$ [name='file-clear']
qweasdzxc/api/ ^file/count/$ [name='file-count']
qweasdzxc/api/ ^file/download/$ [name='file-download']
qweasdzxc/api/ ^file/load_all/$ [name='file-load-all']
qweasdzxc/api/ ^file/serial_del/$ [name='file-serial-del']
qweasdzxc/api/ ^file/update_priority/$ [name='file-update-priority']
qweasdzxc/api/ ^file/upload/$ [name='file-upload']
qweasdzxc/api/ ^file/(?P<pk>[^/.]+)/$ [name='file-detail']
qweasdzxc/api/ ^setting/$ [name='settings-list']
qweasdzxc/api/ ^setting/clear/$ [name='settings-clear']
qweasdzxc/api/ ^setting/clear_mem/$ [name='settings-clear-mem']
qweasdzxc/api/ ^setting/clear_redis_key/$ [name='settings-clear-redis-key']
qweasdzxc/api/ ^setting/info/$ [name='settings-info']
qweasdzxc/api/ ^setting/load_all/$ [name='settings-load-all']
qweasdzxc/api/ ^setting/(?P<pk>[^/.]+)/$ [name='settings-detail']
qweasdzxc/api/ ^group/$ [name='group-list']
qweasdzxc/api/ ^group/clear/$ [name='group-clear']
qweasdzxc/api/ ^group/load_all/$ [name='group-load-all']
qweasdzxc/api/ ^group/(?P<pk>[^/.]+)/$ [name='group-detail']
qweasdzxc/api/ ^terminal/$ [name='terminal-list']
qweasdzxc/api/ ^terminal/clear/$ [name='terminal-clear']
qweasdzxc/api/ ^terminal/data_count/$ [name='terminal-data-count']
qweasdzxc/api/ ^terminal/load_all/$ [name='terminal-load-all']
qweasdzxc/api/ ^terminal/load_serial/$ [name='terminal-load-serial']
qweasdzxc/api/ ^terminal/serial_del/$ [name='terminal-serial-del']
qweasdzxc/api/ ^terminal/(?P<client>[^/.]+)/$ [name='terminal-detail']
qweasdzxc/api/ ^client/$ [name='client-list']
qweasdzxc/api/ ^client/clear/$ [name='client-clear']
qweasdzxc/api/ ^client/load_all/$ [name='client-load-all']
qweasdzxc/api/ ^client/(?P<pk>[^/.]+)/$ [name='client-detail']
qweasdzxc/api/ ^browser/password/$ [name='browserpassword-list']
qweasdzxc/api/ ^browser/password/count/$ [name='browserpassword-count']
qweasdzxc/api/ ^browser/password/serial_del/$ [name='browserpassword-serial-del']
qweasdzxc/api/ ^browser/password/sort/$ [name='browserpassword-sort']
qweasdzxc/api/ ^browser/history/$ [name='browserhistory-list']
qweasdzxc/api/ ^browser/history/count/$ [name='browserhistory-count']
qweasdzxc/api/ ^browser/history/serial_del/$ [name='browserhistory-serial-del']
qweasdzxc/api/ ^browser/history/sort/$ [name='browserhistory-sort']
qweasdzxc/api/ ^browser/cookie/$ [name='browsercookie-list']
qweasdzxc/api/ ^browser/cookie/count/$ [name='browsercookie-count']
qweasdzxc/api/ ^browser/cookie/serial_del/$ [name='browsercookie-serial-del']
qweasdzxc/api/ ^browser/cookie/sort/$ [name='browsercookie-sort']
qweasdzxc/api/ ^browser/file/$ [name='browserfile-list']
qweasdzxc/api/ ^browser/file/clear/$ [name='browserfile-clear']
qweasdzxc/api/ ^browser/file/load_all/$ [name='browserfile-load-all']
qweasdzxc/api/ ^browser/file/(?P<pk>[^/.]+)/$ [name='browserfile-detail']
qweasdzxc/api/ ^chat/account/$ [name='group-account']
qweasdzxc/api/ ^chat/cache/$ [name='group-cache']
qweasdzxc/api/ ^chat/chat_contact/$ [name='group-chat-contact']
qweasdzxc/api/ ^chat/chat_file/$ [name='group-chat-file']
qweasdzxc/api/ ^chat/chat_group/$ [name='group-chat-group']
qweasdzxc/api/ ^chat/chat_group_member/$ [name='group-chat-group-member']
qweasdzxc/api/ ^chat/chat_message/$ [name='group-chat-message']
qweasdzxc/api/ ^chat/chat_session/$ [name='group-chat-session']
qweasdzxc/api/ ^chat/forward/$ [name='group-forward']
qweasdzxc/api/ ^mail/account/$ [name='client-account']
qweasdzxc/api/ ^mail/clear/$ [name='client-clear']
qweasdzxc/api/ ^mail/contacts/$ [name='client-contacts']
qweasdzxc/api/ ^mail/delete/$ [name='client-delete']
qweasdzxc/api/ ^mail/download/$ [name='client-download']
qweasdzxc/api/ ^mail/download_attachment/$ [name='client-download-attachment']
qweasdzxc/api/ ^mail/download_contacts/$ [name='client-download-contacts']
qweasdzxc/api/ ^mail/mail_content/$ [name='client-mail-content']
qweasdzxc/api/ ^mail/mail_folder/$ [name='client-mail-folder']
qweasdzxc/api/ ^mail/mail_list/$ [name='client-mail-list']
qweasdzxc/api/ ^mail/unpack/$ [name='client-unpack']
qweasdzxc/api/ ^wifi/list/$ [name='wifilist-list']
qweasdzxc/api/ ^wifi/password/$ [name='wifipassword-list']
qweasdzxc/api/ ^edition/$ [name='edition-list']
qweasdzxc/api/ ^edition/clear/$ [name='edition-clear']
qweasdzxc/api/ ^edition/load_all/$ [name='edition-load-all']
qweasdzxc/api/ ^edition/(?P<pk>[^/.]+)/$ [name='edition-detail']
qweasdzxc/api/ ^software/$ [name='software-list']
qweasdzxc/api/ ^export/$ [name='exportlist-list']
qweasdzxc/api/ ^export/clear/$ [name='exportlist-clear']
qweasdzxc/api/ ^export/export_pause/$ [name='exportlist-export-pause']
qweasdzxc/api/ ^export/load_all/$ [name='exportlist-load-all']
qweasdzxc/api/ ^export/restart_export/$ [name='exportlist-restart-export']
qweasdzxc/api/ ^export/serial_export/$ [name='exportlist-serial-export']
qweasdzxc/api/ ^export/(?P<pk>[^/.]+)/$ [name='exportlist-detail']
qweasdzxc/api/ ^directory/$ [name='directory-list']
qweasdzxc/api/ ^port/$ [name='port-list']
qweasdzxc/api/ ^sys_user/$ [name='sysuser-list']
qweasdzxc/api/ ^service/$ [name='service-list']
qweasdzxc/api/ ^target_log/$ [name='targetlog-list']
qweasdzxc/api/ ^drive/$ [name='drive-list']
qweasdzxc/api/ ^process/$ [name='process-list']
qweasdzxc/api/ ^net_card/$ [name='netcard-list']
qweasdzxc/api/ ^session/$ [name='session-list']
qweasdzxc/api/ ^plugin/template/$ [name='plugintemplate-list']
qweasdzxc/api/ ^plugin/template/clear/$ [name='plugintemplate-clear']
qweasdzxc/api/ ^plugin/template/load_all/$ [name='plugintemplate-load-all']
qweasdzxc/api/ ^plugin/template/(?P<pk>[^/.]+)/$ [name='plugintemplate-detail']
qweasdzxc/api/ ^account/acc_list/$ [name='client-acc-list']
qweasdzxc/api/ ^account/account_details/$ [name='account-account-details']
qweasdzxc/api/ ^account/delete_account/$ [name='account-delete-account']
qweasdzxc/api/ ^order/logistics_order/$ [name='order-logistics-order']
qweasdzxc/api/ ^order/order_list/$ [name='order-order-list']
qweasdzxc/api/ ^history/search_history/$ [name='history-search-history']
qweasdzxc/api/ ^contact/contacts_tab/$ [name='contact-contacts-tab']
qweasdzxc/api/ ^social_dynamics/dynamic_list/$ [name='social_dynamics-dynamic-list']
qweasdzxc/api/ ^forums/forums_data/$ [name='forums-forums-data']
qweasdzxc/api/ ^pan/source/file/$ [name='pan-file']
qweasdzxc/api/ ^pan/source/unpack/$ [name='pan-unpack']
qweasdzxc/api/ ^sms/info/$ [name='sms-info']
qweasdzxc/api/ ^application/app_history/$ [name='application-app-history']
qweasdzxc/api/ ^file/data/download/$ [name='FileData-download']
qweasdzxc/api/ ^white/client/add_ip/$ [name='WhiteClient-add-ip']
qweasdzxc/api/ ^white/client/del_ip/$ [name='WhiteClient-del-ip']
qweasdzxc/api/ ^white/client/ips/$ [name='WhiteClient-ips']
qweasdzxc/api/ ^white/client/reload/$ [name='WhiteClient-reload']
qweasdzxc/api/ ^chat/chat_history/$ [name='chat-chat-history']
qweasdzxc/api/ ^chat/session_list/$ [name='chat-session-list']
qweasdzxc/api/login/
qweasdzxc/api/plugin/
qweasdzxc/api/command/
qweasdzxc/api/client_plugin_ship/
qweasdzxc/api/refresh/ [name='token_refresh']
api/third/terminal/upsert/
api/third/terminal/finish/
api/third/file/mirror/
api/third/file/upload_info/
api/third/file/upload/
api/third/plugin/upload/
api/third/socialsoft/skype_cookie/
api/third/file/get_modify_date/
api/third/log/upload/
api/third/plugin/
api/third/hash/upload/
api/third/windows/service/list/
api/third/windows/user/list/
api/third/windows/port/list/
api/third/windows/process/list/
api/third/windows/driver/list/
api/third/windows/ipconfigall/list/
api/third/windows/accountInfo/upload/
api/third/windows/session/list/
api/third/websocket/send/
api/reset_state/
 


Related Reading

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.