Cytrox’s Predator spyware used zero-day exploits in 3 campaigns

1 month ago 10

Google’s Threat Analysis Group (TAG) uncovered campaigns targeting Android users with five zero-day vulnerabilities.

Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

More TAG research from @_clem1 & @0xbadcafe1

Campaigns targeting Android users with five 0-day vulnerabilities. We assess the exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different govt-backed actors.https://t.co/wRKpCuIB8c

— Shane Huntley (@ShaneHuntley) May 19, 2022

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

The five 0-day vulnerabilities exploited by the attackers:

CVE-2021-37973CVE-2021-37976CVE-2021-38000CVE-2021-38003 in Chrome;CVE-2021-1048 in Android;

Below are the three campaigns documented by Google TAG, and the way the flaws were exploited:

Campaign #1 – redirecting to SBrowser from Chrome (CVE-2021-38000)Campaign #2 – Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)Campaign #3 – Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.” reads the advisory published by Google. “Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

In December a report published by CitizenLab, when its researchers detailed the use of the Predator Spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

Back to the campaigns uncovered by Google TAG, they were targeting a limited number of targets, in all the attacks, the attackers delivered one-time links mimicking URL shortener services to the targeted Android users via email.

Upon clicking on the link, the victim is redirected to a domain under the control of the attackers that was used to deliver the exploits before redirecting the browser to a legitimate website.

The exploits were used to first deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

“ALIEN lives inside multiple privileged processes and receives commands from PREDATOR over IPC. These commands include recording audio, adding CA certificates, and hiding apps.” continues the report.

“TAG continues to track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Predator)

Read Entire Article