Full Report
The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity. The post Predator spyware activity surfaces in new places with new tricks appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Predator Spyware
## Overview
Predator is a surveillance and espionage tool developed by the vendor Intellexa (also known as the Intellexa Consortium). Despite facing sanctions and public exposure, the spyware remains active, with its developer adapting its operational security and infrastructure to evade disruption.
## Technical Details
- Type: Malware family (Spyware)
- Platform: Underspecified, but typically targets mobile platforms given its function as spyware.
- Capabilities: Surveillance, data exfiltration, evasion.
- First Seen: Not explicitly mentioned in the context, but activity is ongoing and evolving.
## MITRE ATT&CK Mapping
The description focuses on the capabilities and ongoing adversary infrastructure rather than specific in-execution techniques. However, as spyware, it broadly relates to:
- **TA0010 - Exfiltration**
- **TA0011 - Command and Control**
- **TA0005 - Defense Evasion**
## Functionality
### Core Capabilities
Primary functions revolve around espionage and surveillance, implying capabilities such as data interception, monitoring, and potentially remote control of the target device.
### Advanced Features
Intellexa is actively innovating evasion techniques:
* **Infrastructure Adaptation:** Relying on a vast network of vendors, subsidiaries, and other companies to mask operations following sanctions.
* **Evasion Via Fake Websites:** Utilizing fake websites falling into four main categories to hide activity:
1. Fake 404 error pages.
2. Counterfeit login or registration pages.
3. Sites indicating they are under construction.
4. Websites purporting to be associated with specific entities (e.g., a conference).
## Indicators of Compromise
No specific low-level IoCs (hashes, IP addresses) are provided in this summary, but related infrastructure indicators include:
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: New infrastructure identified linked to Mozambique, a Czech entity, and an Eastern European cluster (activity noted Aug-Nov of the previous year).
- Behavioral Indicators: Malicious activity masked by the use of deceptive web pages (fake 404s, login pages, etc.).
## Associated Threat Actors
The primary developer/vendor is **Intellexa** (also known as the Intellexa Consortium).
- Groups known to use this tool/technique: Unknown specific threat groups, but the infrastructure identified suggests use by entities in **Mozambique**, the **Czech Republic**, and an **Eastern European country**.
## Detection Methods
The focus is on tracking the developer's infrastructure and observing evasion techniques:
- Signature-based detection: [Not specified]
- Behavioral detection: Detecting the use of suspicious redirection or connection to infrastructure associated with Intellexa.
- YARA rules: [Not specified]
- Specific detection focus: Identifying connections to the complex corporate structures Intellexa uses and traffic related to the deceptive fake websites.
## Mitigation Strategies
- Prevention measures focus on disrupting corporate links and isolating known infrastructure clusters.
- Hardening recommendations likely include robust endpoint protection and domain/URL filtering to block connections to known deceptive sites impersonating legitimate services.
- Increased scrutiny of supply chain entities linked to known surveillance software vendors.
## Related Tools/Techniques
* Other commercial spyware developed by Intellexa or similar vendors operating covertly. (The article implies Predator is adapting to pressures similar to those faced by other high-profile surveillance tools).