A new strain of spyware targeting high-profile exiled politicians and journalists has been discovered by the same organisation that investigated and alerted the world to NSO Group's Pegasus tool.
Two Egyptian exiles, a politician and a journalist, were found to have had their Apple iPhones infected with Predator spyware in June 2021, following an inspection by Citizen Lab.
Predator is regarded as being a program with similar capabilities to NSO Group's Pegasus, which was used to target figures such as journalist and Saudi critic Jamal Khashoggi.
Predator is built and sold by North Macedonian startup Cytrox, which Citizen Lab researchers believe has a number of government clients across Africa, Eastern Europe, and the Middle East. It's also thought to have private customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
The Predator spyware offers similar surveillance capabilities to Pegasus but is less technical in its exploitation approach. Instead of utilising an undisclosed zero-day vulnerability in iOS, it instead operates using a phishing-like attack framework using links sent via WhatsApp messages that lead to one-click infections.
An iPhone belonging to Ayman Nour, former Egyptian presidential candidate and president of the Egyptian political opposition group Union of the Egyptian National Forces, was found in June 2021 to be infected with both Predator and Pegasus spyware at the same time, with the hacks conducted by two separate government clients.
Citizen Lab believes with medium-to-high confidence the Predator attacks on both Egyptian exiles were ordered by the Egyptian government as a Cytrox customer.
Nour's iPhone is said to have been repeatedly attacked with Pegasus Spyware since March 2021 using the NSO Group's iOS zero-day FORCEDEXPLOIT. Phone logs also showed a number of processes related to Predator spyware running on the device, with researchers concluding that clicking on links sent to Nour via WhatsApp from an Egyptian number purporting to be a Dr Rania Shhab led to the phone being infected with Predator.
Nour was first alerted to the possibility of a hack when he noticed his phone running unusually hot - an indicator which later revealed two separate surveillance tools running at the same time.
The second target, an exiled Egyptian journalist who wished to remain anonymous, received similar texts from a number purporting to be an assistant editor at the Al Masry Al Youm newspaper.
Citizen Lab was only able to obtain samples of Predator's loader, not the entire exploit, which it believes remains active in the wild. The organisation's analysis showed Predator persists on iOS even after rebooting, using Apple's automation feature.
From its initial inspection in June 2021, Citizen Lab said the spyware was able to infect the then-latest iOS version (version 14.6) but it's unclear if the current version of Apple's mobile operating system is vulnerable too. IT Pro contacted Apple for clarity but it did not reply in time for publication, though it told Citizen Lab it was investigating the issue.
Cytrox is believed to be part of Intellexa, a collective of spyware groups formed to compete with the now-financially struggling NSO Group. Intellexa describes itself as EU-based and regulated with six sites and R&D labs throughout Europe, Citizen Lab said.
Knowledge of the 'spyware alliance' is "murky at best", Citizen Lab said, but it's thought the group was formed in 2019 and now operates out of Greece after first basing itself in Cyprus.
Meta released a report following Citizen Lab's findings announcing it was taking action against surveillance-for-hire groups. Cytrox, along with others unrelated to Intellexa, were specifically named in the report. Meta already banned and sued NSO Group in 2019 for its surveillance programme.
Pages belonging to a total of seven companies known for surveilling others using a mercenary business model have been banned by Meta, and it has also alerted around 50,000 individuals it believes may have been targeted by the companies.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Greek intelligence allegedly uses Predator spyware to wiretap Facebook security stafferNews The employee’s device was infected through a link pretending to confirm a vaccination appointment
-
North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email contentNews The insidious software exfiltrates all mail and attachments, researchers warn, putting sensitive documents at risk
-
Young hacker faces 20-year prison sentence for creating prolific Imminent Monitor RATNews He created the RAT when he was aged just 15 and is estimated to have netted around $400,000 from the sale of it over six years
-
European company unmasked as cyber mercenary group with ties to RussiaNews The company that's similar to NSO Group has been active since 2016 and has used different zero-days in Windows and Adobe products to infect victims with powerful, evasive spyware
-
Mysterious MacOS spyware discovered using public cloud storage as its control serverNews Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it
-
Apple launching Lockdown Mode with iOS 16 to guard against Pegasus-style spywareNews Apple breaks its bug bounty record with $2 million top prize, alongside $10 million grant funding, as it launches industry-first protections for highly targeted individuals
-
El Salvador becomes latest target of Pegasus spywareNews The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government
-
NSO Group reportedly hacked multiple US officialsNews Apple informed the US State Department that it found a number of cases of staff iPhones being hacked with Pegasus spyware
