Examining Predator Mercenary Spyware

HYAS Labs, the R&D arm of HYAS, has been following the research by CitizenLab and Sekoia on the mercenary spyware “Predator,” made by Cytrox. Recently, as reported by CitizenLab, the malware was discovered targeting an Egyptian former MP who announced ambitions to run for presidency. Sekoia then shared that they had been researching infrastructure that overlapped CitizenLab’s research, and they shared their findings. We investigated the IOCs mentioned in both reports using HYAS Insight, our threat intelligence and investigation solution, and found details that could lead toward threat actor attribution.

Attack

Access to this type of “point and shoot” technology is typically limited to governments. The spyware is offered as a SaaS product for fighting terrorism, but has developed a reputation for being misused. Most citizens are unlikely to be targeted with this type of malware, however certain types of professions seem more likely to be targeted by a government, such as reporter, politician, or activist.

Mercenary spyware like Predator is highly sophisticated, often chaining together multiple 0-day attacks to gain control of a target's device for the purpose of spying on the individual. The attacks are typically of the one-click, or sometimes zero-click variety, meaning limited, or no victim interaction is required for the infection to occur.

Sometimes a link is sent to the victim which must be clicked, but the zero-click infections arrive in the form of a video call, or image file, and no action is required from the victim. Once infected, the attacker will have access to the data on the device, as well as the camera and microphone.

Defend

On Sept 22, the same date the CitizenLab report was released, Apple released security updates for CVE-2023-41991, CVE-2023-41992, CVE-2023-41993 which together could be chained to inject code and elevate privileges to root level and take over the system. These (and future) device security updates are currently our best defense against the most sophisticated of attacks used by mercenary spyware.

Some non-signature-based endpoint tools that monitor the heuristics of the device might identify the spyware and could be effective against these 0-day attacks. Also Protective DNS (PDNS) could potentially block some of the domains involved with the attack chain.

People who are concerned about being the target of mercenary spyware should reboot their phones daily, as it hasn’t been reported that Predator has persistence after reboot.

Identify

Infected devices will erase some of the evidence of the attack, such as the initial payload. The phishing message recently received is no longer in the device. This odd behavior seems to be an indicator of compromise. Potential victims who suspected their phone might be infected have provided their device to CitizenLab for analysis.

Like any other device infected with malware, there would likely be DNS requests and communication with command and control domains that could be identified in a lab environment.

Insight Into a Threat Actor

Sekoia identified three domains related to Madagascar that “seem to have been created by the threat actor itself”:

  • soutien-a-rajoelina[.]com
  • emergence-mada[.]com
  • sahia-mijoro[.]com

HYAS Insight can accept a variety of types of IOCs and allows threat intelligence analysts to see connections in adversary infrastructure. Sometimes the results contain domain registration details not available in open source tools. We input the IOCs provided in the blog posts and found domain registration details on two of the above domains. Soutien-a-rajoelina[.]com and emergence-mada[.]com were both registered under the same name, email, and phone number.

These two domains are the only ones registered by the same registrant, an individual in Madagascar. We have shared details with relevant law enforcement agencies because of the information we identified and the surrounding circumstances.

HYAS Insight combines data from a variety of internal and external sources to provide the analyst useful information about the malware and adversary infrastructure they are researching.

Protective DNS as a Defensive Measure

HYAS Protect is a protective DNS solution that prevents malicious domains from resolving to their IP addresses. By blocking domains from resolving, various segments of the malware infection, like staging and exfiltration, would be unable to function.

We took the list of domains posted and tested them against HYAS Protect to see how many would resolve and how many would be rejected. 78.7% of the domains were rejected by HYAS Protect.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Learn More About HYAS Protect

HYAS Protect enforces security and blocks command and control (C2) communication used by malware, ransomware, phishing, and supply chain attacks. All the while, it delivers on-demand intelligence to enhance your existing security and IT governance stack.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Back to Blog