Monday, April 15, 2024

Commercial PREDATOR Spyware – Delivered Through Zero-Click Exploit

A commercial spyware product offered by the spyware company Intellexa (formerly Cytrox) has been described by Cisco Talos.

By designing deployment procedures that frequently call for little to no user engagement, spyware vendors go to significant efforts to make the final payloads challenging to identify, obtain, analyze, and defend against.

The delivery method is typically a chain of exploits that can begin with a zero-click exploit, like FORCEDENTRY, which is produced by the Israeli spyware company NSO Group, or with a link that the victim is tricked into clicking (i.e., a “one-click” exploit) like the one developed by the surveillance company Cytrox to deploy their spyware known as “PREDATOR.”

PREDATOR is an intriguing mercenary spyware that has existed since at least 2019.

It was created to be flexible so that new Python-based modules could be given without recurrent exploitation, making it very versatile and risky.

It has been determined that it utilizes to interact with the other spyware component that was deployed alongside it and is known as “ALIEN.”

The two parts enable the Android operating system to get around more established security measures.

“A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims,” Cisco Talos said.

Spyware Attack Stages

Like the majority of spyware tools that have lately come to light, Intellexa’s spyware products have a variety of parts that may be categorized into three main categories that correspond to the attack’s various stages:

In exploit chains, the first two, exploitation and privilege escalation, start by taking advantage of a remote vulnerability to gain remote code execution (RCE) privileges, then move on to mitigation circumvention and privilege escalation—since the vulnerable processes are frequently less privileged—to complete the attack.

“While ALIEN and PREDATOR can be used against Android and iOS mobile devices, the samples we analyzed were specifically designed for Android,” Talos explained

“For privilege escalation, the spyware is configured to use a method called QUAILEGGS, or, if QUAILEGGS is not present, it will use a different method called “kmem.” The samples we analyzed were running QUAILEGGS.”

Cisco Talos proposed that Tcore could have used additional features, including camera access, geolocation tracking, and shutdown simulation, to eavesdrop on victims discreetly.

It is determined that the essential spyware functionality is included in the Tcore Python package. The native code of ALIEN and PREDATOR was analyzed, and the results show that the spyware can record audio from VOIP-based applications and phone calls. 

Additionally, it can gather data from some of the most widely used programs, including Signal, WhatsApp, and Telegram. Due to peripheral functionality, applications can be hidden and can’t be run when a device reboots.

According to the assessment, KMEM offers arbitrary read and write access to the kernel address space.

“Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features,” the company said.

When combined, these components offer a range of information stealing, surveillance, and remote access capabilities. 

Talos does not have access to every aspect of the spyware. Therefore, this list of capabilities is not meant to be comprehensive.

If the spyware runs on a Samsung, Huawei, Oppo, or Xiaomi handset, it can also add certificates to the store and enumerate the contents of various directories on the disc.

The spyware comes as an ELF binary before creating a Python runtime environment.

It will recursively enumerate the contents of the following disc directories if any of these manufacturers’ names match:

Final Thoughts

Most commercial spyware is made for government use, and companies like NSO Group promote its products as being part of technology that aids in terrorist prevention, criminal investigation, and national security enhancement. 

However, in recent years, ethical and legal concerns have surfaced around these spying devices, which the security community has referred to as “mercenary spyware.” 

The Biden-Harris administration issued an Executive Order on March 27, 2023, which forbids the use by the U.S. government of commercial spyware that could endanger national security or has been exploited by foreign parties to enable human rights abuses in response to the rapid proliferation and growing concern regarding the misuse of these products.

Shut Down Phishing Attacks with Device Posture Security – Download Free-Book


Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles