Predator is the result of a collaboration known as the Intellexa Alliance, which also comprises Senpai Technologies, Nexa Technologies, and Cytrox (later bought by WiSpear). In July 2023, the United States put Cytrox and Intellexa on its Entity List due to their "trafficking in cyber exploits used to gain access to information systems."
In regards to the issue, Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report, "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS[…]However, by April 2022, that capability was being offered to their customers."
The cybersecurity vendor first revealed the inner workings of Predator and its harmonic connection with another loader component named Alien more than six months ago.
"Alien is crucial to Predator's successful functioning, including the additional components loaded by Predator on demand[…]The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims," Malhotra told cybersecurity firm Hackernews in an interview.
Predator is a "remote mobile extraction system" that can target both Android and iOS. It is sold on a licensing model that can cost millions of dollars, depending on the number of concurrent infections and the exploit used for initial access. This puts Predator out of the reach of script kiddies and inexperienced criminals.
Spyware like Predator and Pegasus, which are designed by the NSO Group, often depend on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. However, if Apple and Google keep patching the security holes, these attack chains can become useless and they will have to start over.
It is significant to note that the organizations that create mercenary surveillance tools can also obtain whole or partial exploit chains from brokers and transform them into a functional exploit that can be used to successfully compromise target devices.
Another noteworthy aspect of Intellexa’s business model is that it gives the task of building the attack infrastructure, giving them some degree of plausible deniability if the campaigns are discovered—which is an inevitable outcome.
"The delivery of Intellexa's supporting hardware is done at a terminal or airport," the researchers said. "This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry's jargon ('Incoterms'). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located."
Furthermore, because the operations are intrinsically connected to the license, which is by default limited to a single phone country code prefix, Intellexa has "first-hand knowledge" of whether their customers are conducting surveillance activities outside of their own borders.
According to Ivan Kolpakov, Meduza’s editor-in-chief based in Latvia, it was obvious that Europeans should be very concerned about Pegasus in light of the discoveries regarding the hacking of his colleague Galina Timichenko by an as-yet-unconfirmed EU country.
“If they can use it against an exiled journalist there are no guarantees they cannot use it against local journalists as well[…]Unfortunately, there are a lot of fans in Europe, and we are not only talking about Poland and Hungary, but Western European countries as well,” said Kolpakov.
Since last month, the European Commission has been working on guidelines for how governments could employ surveillance technologies like spyware in compliance with EU data privacy and national security rules since last month. Despite the fact that member states are responsible for their own national security, the Commission is considering adopting a position after learning that 14 EU governments had purchased the Pegasus technology from NSO Group.
Apparently, Timichenko was targeted by Pegasus in February 2023 when she was in Berlin for a private gathering of Russian media workers exile. The meeting's subject was the threats posed by the Russian government's categorization of independent Russian media outlets as foreign agents.
Taking into account the work that Timichenko deals with, Russia was first suspected; but, according to the digital rights organization Access Now, additional information suggests that one of the intelligence services of an EU member state — the exact one is yet unknown — is more likely to be to blame.
Allegedly, the motive behind the hack could be that numerous Baltic nations, to whom Russia has consistently posed a threat, are worried that a few FSB or GRU agents may have infiltrated their borders among expatriate dissidents and journalists.
“It may happen and probably it actually happens, but in my opinion, it does not justify the usage of that kind of brutal tool as Pegasus against a prominent independent journalist,” Kolpakov said.
Kolpakov believes that the revelations have left the exiled community feeling they are not safe in Europe. “This spyware has to be banned here in Europe. It really violates human rights,” he added.
Researchers spotted malware peddlers openly selling an info-stealer on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest concealment.
The attackers, who Sonatype researchers linked to the SylexSquad malware-as-a-service (MaaS) gang in Spain, gave their programme a not-so-subtle name: "reverse-shell." Reverse shells are programmes that are often used by hackers to run commands remotely and receive data from targeted machines.
"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."
Inside the'reverse-shell' Data-Heisting Malware
Sonatype researchers were taken aback when they discovered a package dubbed "reverse-shell" on a public forum. "Why would someone name a malicious package in such a blatantly obvious way?" the researchers pondered in their blog article for Malware Monthly.
In actuality, the programme turned out to be much more than a reverse shell. This was revealed when the researchers studied one of its files, "WindowsDefender.py." WindowsDefender.py contains several routines with apparent names, such as get_login_data(), get_web_history(),get_downloads(),get_cookies(),get_credit_cards(),ImageGrab.grab().
According to the theme, the hackers had not gone to great lengths to conceal their intentions: this was malware designed to steal information.
"With no obfuscation, [this] appears to be a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."
More information can be found in another file called "setup.py." There were multiple Spanish-language instructions here to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — indicating that reverse-shell was a MaaS product.
Further investigation revealed several "Made by SylexSquad" tags sprinkled throughout the code, some of which was minimally obfuscated. The researchers discovered that SylexSquad was formerly a hacking marketplace running on the Sellix e-commerce platform in 2022. It has subsequently been decommissioned.
Publishing so publicly to a public repo could have been a deliberate attempt by the organisation to draw attention to their product. "How do we know about groups like Anonymous, LulzSec, or Killnet?" Conn inquires rhetorically. "It's because they get a bad reputation."
However, PyPI is considerably more valuable to them than that.
Why Do Hackers Use Public Repositories?
According to Sonatype, the SylexSquad attackers aren't the only miscreants using forums like PyPI and GitHub, and there are a variety of reasons for their audacity.
"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."
Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."
In other words, rather of sending malware upfront, which antivirus scanners may detect fast, hackers can just provide a link to their harmful code elsewhere: "By providing a link to a GitHub, they're perhaps evading that check,"" he says.
To avoid becoming a hotspot for hackers, public repositories have protection safeguards in place. Even the finest scanners and moderators are not perfect, and they cannot be everywhere at the same time.
"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. SylexSquad encoded its malicious software as numbers in this example, utilising easily reversible ASCII codes for each character.
Sonatype reported the package to the PyPI maintainers, and it was removed. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."
Aguirre sees this tale as part of a larger issue with open source software: as long as malware developers find use in public repositories, organisations must be conscious of the types of packages they may be picking up.
"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."
There are several ways to stop devices from accessing your data, as per USA Today reports. Some call for physically blocking cameras and microphones. Laptops and desktop computers would be the finest platforms for this.
The evolution of search and technology will rely on individuals speaking to computers more fluidly to complete tasks. Along the road, users need to protect their privacy, and that process begins with the products employed currently. You might want to as a result or at least forbid them from exploiting such information. Due to transcription's imperfection, it is possible for it to unintentionally carry out your instructions and send odd messages to one of your contacts.
When it was discovered that Google Assistant and Amazon Alexa were recording random voice snippets in their formative days, criticism erupted. Some firmly gripped their conspiratorial hats, claiming that this was a brand-new dystopia tool for keeping an eye on millions of people. The likelihood is higher that the assistants misheard the cue and began anticipatorily listening for orders. These systems are not fault-tolerant and they can still make blunders.
Some of the major digital firms that might use intelligent chatbots like ChatGPT are Amazon, Google, and Apple. They could complement the current solutions or be included in future versions of Alexa, Google Assistant, and Siri.
According to an analysis by cybersecurity company Dr. Web, WordPress-based websites are being targeted by an unidentified Linux malware variant.
Recognized as LinuxBackDoor.WordPressExploit.1, while it can also operate on 64-bit Linux versions, the Trojan favors 32-bit versions. 30 vulnerabilities in numerous outdated WordPress plugins and themes have been used by Linux malware.
Injecting harmful JavaScript into the webpages of websites using the WordPress content management system (CMS) is its primary purpose. The malware may be the malicious instrument that hackers have used for more than three years to perform specific attacks and generate income from the resale of traffic, or arbitrage, based on a study of an unearthed trojan program undertaken by Doctor Web's specialists.
Malicious actors can remotely operate a Trojan by sending its command and control (C&C) server the URL of the site they want to infect. Threat actors can also remotely disable the spyware, turn it off, and stop recording its activities.
The researchers described how the process works, adding that if a plugin or theme vulnerability is exposed, the injection is done so that, irrespective of the original contents of the page, the JavaScript would be launched first when the infected page is loaded. By clicking any part of the compromised website, users will be sent to the attackers' preferred website.
Additionally, it can take advantage of many plugins' flaws, including the Brizy WordPress Plugin, the FV Flowplayer Video Player, and the WordPress Coming Soon Page.
According to Dr. Web, both Trojan variants include unreleased functionality for brute-force hacking the admin access of selected websites. Applying well-known logins and passwords while utilizing specialized vocabulary can accomplish this.
The researchers issued a warning, speculating that hackers may be considering using this feature in further iterations of the malware. Cybercriminals will even be able to effectively attack some of the websites that utilize current plugin versions with patched vulnerabilities.
WordPress is reportedly used by 43% of websites, making it a CMS that cybercriminals aggressively target.WordPress website owners are recommended by Dr. Web to update all parts of their platforms, including any third-party add-ons and themes, and to use secure passwords for their accounts.
A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018.
Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device."
Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.
Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."
The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems.
Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively.
Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.
But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit.
Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further.
Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.
Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
Files: a set of Firefox exploits for Linux and Windows.
Cryptojacking is becoming a nightmare for customers and enterprises, and threat actors have started using various techniques to deploy cryptojackers on victims' systems. As per recent developments, cybersecurity software developer Bitdefender found a crypto jacking campaign exploiting Microsoft OneDrive vulnerability to get access and run without getting caught on compromised devices.
BitDefender report says:
"OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from OneDriveStandaloneUpdater.exe loading the malicious secur32.dll."
From May 1 to July 1, Bitdefender identified around 700 users impacted by the campaign. The campaign operates using four cryptocurrency mining algorithms- Ton, XMR, Ethash, and Etchash. It makes an average of $13 worth of cryptocurrency per compromised device.
Cryptojacking is an unauthenticated exploit of computer manufacture for mining cryptocurrency. The threat actors in the recent cryptojacking campaign used a DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. After the file is loaded into the OneDrive process, the fake secur32.dll will download open-source cryptocurrency mining software and install it into genuine Windows processes.
Sideloading is basically installing a code that has not been approved for running on a system by the developer of the machine's operating system. DLL files are a combination of small programs having instructions that can assist a larger program finish non-core tasks of the original program.
Meanwhile, the OneDrive sideloading campaign is used only in cryptojacking, DLL side-loading is also used for the deployment of ransomware or spyware. Besides this, as cryptocurrency minutes are resource-sensitive, the victims can instantly see falling CPU and GPU performance, increased energy consumption, and overheating, these issues can ruin expensive hardware.
OneDrive, by default, is set to reboot on a daily basis, and the threat actors behind the latest cryptojacking campaign were found to run the OneDrive.exe process to run after a reboot, even if the user shuts it down. The attackers use this method to gain persistence. In 95% (estimated) of the findings, the scheduled reboot was found to deploy the infected secur32.dll.
"Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats, and to download software from trusted locations only"-Bitdefender report.