Threat Research

Predator Still Active, with New Client and Corporate Links Identified

RecordedFuture
Predator Still Active, with New Client and Corporate Links Identified

Predator spyware operations continue despite sanctions and public exposure, with a resurgence noted including a new operator in Mozambique. The spyware’s infrastructure involves multi-tiered, evasive tactics linked to known Predator operators and a Czech entity associated with the Intellexa Consortium. #Predator #Intellexa #Mozambique

Keypoints

  • Predator spyware activity has persisted and resurged following US sanctions and international exposure.
  • New Predator infrastructure includes victim-facing Tier 1 servers and high-tier components linked to operators in various countries, including Mozambique.
  • Operators have implemented detection evasion tactics such as multi-tiered infrastructure and varied server configurations.
  • Predator targets high-value individuals, including politicians and corporate executives, with both “1-click” and “zero-click” attack vectors.
  • A Czech company, FoxITech s.r.o., has been technically linked to Predator infrastructure and Intellexa Consortium affiliations.
  • Predator activity has been detected in over a dozen countries, notably expanding its presence in Africa.
  • Recommended defenses include device separation, regular updates, rebooting, lockdown modes, and mobile device management systems.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Predator operators register domains for payload delivery and exploitation. (“…domains often impersonated specific organizations and shifted to random English words to evade detection.”)
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Tier 2 servers function as anonymization points in Predator’s multi-tier network. (“…Tier 1 servers communicate with Tier 2 upstream VPS IP addresses using TCP port 10514.”)
  • [T1583.004] Acquire Infrastructure: Server – Predator leverages a sophisticated multi-tiered infrastructure involving Tier 1 through Tier 5 servers. (“…multi-tiered infrastructure network described with an added fourth layer for obfuscation.”)
  • [T1566.002] Spearphishing Link – “1-click” attacks via social engineering with malicious links are used for initial infection. (“…’1-click’ attacks rely on social engineering messages with malicious links…”)
  • [T1203] Exploitation for Client Execution – Exploitation techniques deliver spyware modules remotely. (“…modular design based on Python allows remote feature introduction without re-exploit.”)

Indicators of Compromise

  • [Domains] Predator infrastructure domains used for payload delivery and impersonation – canylane[.]com, flickerxxx[.]com, noticiafresca[.]net, and over 80 more domains from Appendix A and B.
  • [IP Addresses] IPs associated with Predator servers spanning victim and high-tier roles – 169.239.128.42, 169.239.129.57, 45.86.163.182, and others listed in Appendices A and B.
  • [ASNs] Autonomous System Numbers hosting Predator infrastructure – AS61138, AS20473, AS42708, among others noted with changing hosting patterns.
  • [Email Addresses] Associated with Czech entity FoxITech s.r.o. and linked companies – emails from Shilo s.r.o. and Bender ONE s.r.o. domains.

Read more: https://www.recordedfuture.com/research/predator-still-active-new-links-identified