Predator spyware infrastructure has resurfaced after sanctions, with modifications designed to evade detection and anonymize users, posing renewed privacy and security risks for high-profile individuals. Insikt Group findings indicate new evasion tactics and a multi-tier delivery system, while regulation lags behind the evolving threat.
Read more: #PredatorSpyware #Intellexa #InsiktGroup #DRC #Angola #Spearphishing #ZeroClick
Read more: #PredatorSpyware #Intellexa #InsiktGroup #DRC #Angola #Spearphishing #ZeroClick
Keypoints
- Predator activity declined after US government sanctions but has resurfaced with enhanced infrastructure.
- New evasion tactics complicate tracking and attribution of Predator’s activities.
- High-profile targets, including politicians and executives, remain at significant risk.
- Best defense practices include regular software updates, device reboots, lockdown mode, and mobile device management.
- Security awareness training remains a crucial defense component against spearphishing and social engineering.
- Global regulatory efforts are ongoing but may not keep pace with the evolving spyware market.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Used to acquire domains for malicious activities. (‘Used to acquire domains for malicious activities.’)
- [T1583.003] Acquire Infrastructure: Virtual Private Server – Utilizes virtual private servers to host malicious infrastructure. (‘Utilizes virtual private servers to host malicious infrastructure.’)
- [T1583.004] Acquire Infrastructure: Server – Acquisition of servers for operational purposes. (‘Acquisition of servers for operational purposes.’)
- [T1566.002] Initial Access: Spearphishing Link – Employs spearphishing techniques to gain initial access. (‘Employs spearphishing techniques to gain initial access.’)
Indicators of Compromise
- [Domains] Predator-related domains identified in Appendix A – happytotstoys[.]com, holidaypriceguide[.]com, and 6 more domains
- [IP Addresses] Predator-associated IPs identified in Appendix A – 169.239.129[.]76, 185.123.102[.]40, and 6 more IPs