Cyber Threat Report: 'Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices'

This report from Recorded Future's Insikt Group describes recent TTPs and infrastructure used for the deployment of the Predator spyware. Predator is a sophisticated and invasive spyware product designed for mobile devices, sold by the Intellexa alliance to government customers for counterterrorism and law enforcement purposes. Predator has been used to target civil society groups, such as journalists, activists, and politicians, in various countries, raising ethical and legal concerns. The report outlines the use of a multi-tiered network architecture to deliver spyware to target devices, using spoofed domains, upstream servers, and customer infrastructure. In this report, Insikt Group identify new Predator delivery servers and domains, as well as likely Predator customers in at least eleven countries, some of which were previously unknown.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.