Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices

逆向病毒分析 8个月前 admin

87 0 0

New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity.
Recorded Future 的 Insikt Group 的新研究检查了新发现的与雇佣移动间谍软件 Predator 运营商相关的基础设施。据信，该基础设施至少在 11 个国家投入使用，包括安哥拉、亚美尼亚、博茨瓦纳、埃及、印度尼西亚、哈萨克斯坦、蒙古、阿曼、菲律宾、沙特阿拉伯以及特立尼达和多巴哥。值得注意的是，这是首次识别博茨瓦纳和菲律宾的 Predator 客户。尽管“捕食者”的营销目的是反恐和执法，但它经常被用来针对民间社会，以记者、政治家和活动家为目标，目前在这一最新活动中尚未确定具体的受害者或目标。

Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices Multi-tier Predator delivery network architecture (Source: Recorded Future)
多层 Predator 交付网络架构（来源：Recorded Future）

Understanding Risks and Implementing Security Best Practices
了解风险并实施安全最佳实践

The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. High-profile individuals, such as executives, are at greater risk due to the high costs of deploying such spyware. The European Union has recently taken steps to curb the abuse of mercenary spyware among its member states.
使用 Predator 等间谍软件会给隐私、合法性和人身安全带来重大风险，特别是在严重犯罪和反恐环境之外使用时。由于部署此类间谍软件的成本高昂，高管等知名人士面临更大的风险。欧盟最近采取措施遏制其成员国滥用雇佣兵间谍软件。

To mitigate these risks, organizations and individuals are advised to follow security best practices such as regular phone updates, device reboots, lockdown mode, Mobile Device Management systems, and separating personal from corporate devices. Security awareness training and minimal data exposure culture are also crucial. Long-term solutions include conducting risk assessments for developing dynamic security policies. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities.
为了减轻这些风险，建议组织和个人遵循安全最佳实践，例如定期电话更新、设备重新启动、锁定模式、移动设备管理系统以及将个人设备与公司设备分开。安全意识培训和最小化数据暴露文化也至关重要。长期解决方案包括进行风险评估以制定动态安全策略。随着唯利是图的间谍软件市场的扩大，风险不仅限于民间社会，还延伸到任何对能够使用这些工具的实体感兴趣的人。这一领域的创新可能会带来更加隐秘和全面的间谍软件功能。

Key findings from the Insikt Group’s research include the identification of a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data. Despite public disclosures in September 2023, Predator’s operators have continued their operations with minimal changes. Predator, alongside NSO Group’s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time.
Insikt Group 研究的主要发现包括识别新的多层 Predator 交付基础设施，以及域分析和网络情报数据的证据。尽管已于 2023 年 9 月公开披露，Predator 的运营商仍继续运营，且变化极小。 Predator 与 NSO Group 的 Pegasus 一起，仍然是雇佣兵间谍软件的领先提供商，随着时间的推移，其策略、技术和程序保持一致。

To read the entire analysis, click here to download the report as a PDF.
要阅读整个分析，请单击此处下载 PDF 格式的报告。

Indicators of Compromise
妥协指标

Domains: 域名：

IP Addresses: IP 地址：

02s[.]co
06g[.]co
09a[.]co
2-gis[.]kz
astanapark[.]com  阿斯塔纳公园[.]com
beroxe[.]com
buildneeds[.]net  构建需求[.]net
bw-guardian[.]com
cabinet-salyk[.]kz  内阁-salyk[.]kz
centent-management[.]net
中心管理[.]net
clazc[.]com
coazoa[.]com  科索阿[.]com
copy-note[.]net  复制笔记[.]net
corporatebusinesssolution[.]net
企业业务解决方案[.]net
dzhabarzan[.]com
e-kgd[.]kz
ehudaldaa[.]com
escortbabesluxo[.]com
eventnews[.]live  活动新闻[.]直播
fast-notify[.]com  快速通知[.]com
fastnews[.]biz  快新闻[.]biz
fr-monde[.]com
gabzmus[.]com
get-location[.]com  获取位置[.]com
get-location[.]net  获取位置[.]net
highclub[.]life  高级俱乐部[.]生活
informationrank[.]net  信息排名[.]net
jumia-egy[.]com  jumia-埃及[.]com
kapital-news[.]com  资本新闻[.]com
kejoranews[.]net  凯乔拉新闻[.]网
kollesa[.]com  科莱萨[.]com
krisha-kz[.]com
kroal[.]com
ladiesclubhouse[.]com  ladyclubhouse[.]com
lusofonia-mundo[.]com
magnum-kz[.]com
mastershop[.]biz
mb-ph[.]net
mmegi[.]co
msbsck[.]com
mujmbosnoticias[.]com
mundodenoticias[.]online
mundodenoticias[.]在线
myfawry[.]net  myfawry[.]网
nospam[.]kz  无垃圾邮件[.]kz
notify-service[.]biz  通知服务[.]biz
nur-news[.]com
olimpbets[.]kz  奥林匹克贝茨[.]kz
ongsworld[.]com
pelovkin[.]com  佩洛夫金[.]com
people-beeline[.]com
peticaonline[.]comv
plastictoysworld[.]com
plinkypong[.]com
post-notify[.]info  后通知[.]信息
qazsporttv[.]com
rcuples[.]com
rozavetrovv[.]com
schedulefestival[.]com 日程安排节日[.]com
shoxtek[.]com
soccer-bw[.]com  足球-bw[.]com
spacsaver[.]info  spacsaver[.]信息
sportnow[.]news  sportnow[.]新闻
suarapapua[.]co  苏拉巴布亚[.]co
sustanbuild[.]com
thintank[.]co  智库[.]co
tickets-kz[.]com  门票-kz[.]com
tobupmi[.]com
tohna[.]net  托赫纳[.]网
ulstur[.]co  乌尔斯特[.]科
vendaswebs[.]com
vestinfo[.]net  维斯特信息网
vestinfo[.]org  维斯特信息[.]org
vestinfos[.]net  维斯特信息[.]网
vinho-online[.]com
vlast-news[.]com
walatparez[.]com
weekendcool[.]com  周末酷[.]com
yo-um7[.]com  哟-um7[.]com
zakorn[.]com  扎科恩[.]com
zikolo[.]net  齐科洛[.]网
ztb-news[.]com  ztb新闻[.]com

2.58.15[.]58
5.39.221[.]36
5.39.221[.]47
5.39.221[.]48
5.255.88[.]172
23.137.248[.]95
37.120.222[.]115
45.129.0[.]125
45.148.244[.]5
45.86.163[.]77
45.86.163[.]93
46.246.97[.]245
46.249.49[.]230
46.30.190[.]98
79.110.52[.]179
79.110.52[.]196
79.137.199[.]216
79.141.175[.]146
84.247.51[.]14
84.247.51[.]18
85.17.9[.]21
85.17.9[.]73
85.17.9[.]74
85.239.34[.]174
87.121.45[.]29
87.121.45[.]42
87.121.45[.]45
88.119.161[.]135
91.241.93[.]165
95.141.34[.]222
98.142.254[.]112
101.99.75[.]197
141.94.122[.]19
146.70.158[.]144
146.70.161[.]50
158.58.172[.]3
164.215.103[.]143
164.215.103[.]20
169.239.128[.]137
169.239.129[.]48
169.239.129[.]63
169.239.129[.]76
169.255.59[.]98
176.124.198[.]52
176.124.198[.]55
185.113.8[.]67
185.113.8[.]83
185.117.91[.]165
185.117.91[.]237
185.130.227[.]29
185.130.227[.]88
185.130.227[.]95
185.130.45[.]34
185.130.46[.]165
185.130.46[.]202
185.156.172[.]17
185.156.172[.]20
185.156.172[.]48
185.158.248[.]131
185.158.248[.]85
185.196.9[.]76
185.212.47[.]75
185.219.220[.]99
185.219.221[.]30
185.62.58[.]107
185.66.140[.]112
192.46.237[.]163
193.168.143[.]111
193.168.143[.]116
193.168.143[.]184
193.168.143[.]185
193.233.161[.]137
193.233.161[.]163
193.29.104[.]13
193.29.104[.]5
193.29.104[.]83
193.29.59[.]171
193.42.36[.]106
193.42.36[.]84
212.237.217[.]127
213.252.246[.]152

Predator Delivery Servers
Predator 交付服务器

Domain 领域	IP Address IP地址	First Seen 第一次看到	Last Seen 最后一次露面
06g[.]co	185.130.227[.]29	2023-12-22	2024-02-21
02s[.]co	185.130.227[.]95	2023-12-22	2024-02-21
spacsaver[.]info spacsaver[.]信息	45.148.244[.]5	2023-11-30	2024-02-20
09a[.]co	5.39.221[.]36	2023-12-22	2024-02-21
ongsworld[.]com	146.70.158[.]144	2023-11-16	2024-02-21
fr-monde[.]com	169.239.129[.]76	2023-12-15	2024-02-20
lusofonia-mundo[.]com	169.239.129[.]63	2023-12-15	2024-02-17
ladiesclubhouse[.]com ladyclubhouse[.]com	169.239.129[.]48	2023-12-15	2024-02-18
vinho-online[.]com	169.239.128[.]137	2023-12-15	2024-02-17
vendaswebs[.]com	185.158.248[.]131	2023-11-16	2024-02-17
mundodenoticias[.]online mundodenoticias[.]在线	185.196.9[.]76	2023-11-16	2024-02-17
mujmbosnoticias[.]com	185.212.47[.]75	2023-11-02	2024-02-21
soccer-bw[.]com 足球-bw[.]com	185.130.46[.]165	2023-11-22	2024-02-17
mmegi[.]co	45.129.0[.]125	2023-11-22	2024-02-16
bw-guardian[.]com	95.141.34[.]222	2023-11-19	2024-02-17
yo-um7[.]com 哟-um7[.]com	185.130.46[.]202	2023-11-29	2024-02-17
sustanbuild[.]com	193.29.104[.]5	2023-11-25	2024-02-17
myfawry[.]net myfawry[.]网	2.58.15[.]58	2023-12-14	2024-02-20
jumia-egy[.]com jumia-埃及[.]com	79.110.52[.]196	2023-12-14	2024-02-17
suarapapua[.]co 苏拉巴布亚[.]co	158.58.172[.]3	2023-12-01	2024-01-29
kejoranews[.]net 凯乔拉新闻[.]网	185.158.248[.]85	2023-12-07	2024-02-15
nospam[.]kz 无垃圾邮件[.]kz	176.124.198[.]52	2023-12-28	2024-02-13
olimpbets[.]kz 奥林匹克贝茨[.]kz	176.124.198[.]55	2023-12-28	2024-02-13
vlast-news[.]com	185.156.172[.]20	2023-12-08	2024-02-16
ztb-news[.]com ztb新闻[.]com	185.156.172[.]17	2023-12-08	2024-02-17
cabinet-salyk[.]kz 内阁-salyk[.]kz	185.156.172[.]48	2023-12-15	2024-02-21
zikolo[.]net 齐科洛[.]网	193.168.143[.]116	2023-11-11	2024-02-14
magnum-kz[.]com	45.86.163[.]93	2023-12-08	2024-02-20
tickets-kz[.]com 门票-kz[.]com	45.86.163[.]77	2023-12-10	2024-02-17
people-beeline[.]com	5.39.221[.]47	2023-12-14	2024-02-17
rozavetrovv[.]com	5.39.221[.]48	2023-12-14	2024-02-17
2-gis[.]kz	79.137.199[.]216	2023-12-28	2024-02-20
e-kgd[.]kz	85.17.9[.]21	2023-12-15	2024-02-17
kapital-news[.]com 资本新闻[.]com	85.17.9[.]73	2023-12-14	2024-02-19
nur-news[.]com	85.17.9[.]74	2023-12-14	2024-02-21
astanapark[.]com 阿斯塔纳公园[.]com	87.121.45[.]42	2023-12-11	2024-02-16
krisha-kz[.]com	88.119.161[.]135	2023-11-26	2024-02-17
ehudaldaa[.]com	84.247.51[.]14	2023-12-23	2024-02-20
ulstur[.]co 乌尔斯特[.]科	84.247.51[.]18	2023-12-25	2024-02-20
mb-ph[.]net	193.42.36[.]106	2023-12-07	2024-02-21
buildneeds[.]net 构建需求[.]net	141.94.122[.]19	2023-11-21	2024-02-17
sportnow[.]news sportnow[.]新闻	185.113.8[.]67	2023-11-11	2024-02-19
corporatebusinesssolution[.]net 企业业务解决方案[.]net	193.168.143[.]184	2023-11-25	2024-02-09
informationrank[.]net 信息排名[.]net	193.168.143[.]185	2023-11-25	2024-02-17
centent-management[.]net 中心管理[.]net	193.29.59[.]171	2023-11-21	2024-02-09
highclub[.]life 高级俱乐部[.]生活	46.249.49[.]230	2023-11-11	2024-02-21
vestinfos[.]net 维斯特信息[.]网	185.130.45[.]34	2023-12-22	2024-02-09
get-location[.]net 获取位置[.]net	46.246.97[.]245	2023-12-21	2024-02-08
vestinfo[.]org 维斯特信息[.]org	79.141.175[.]146	2023-12-22	2023-12-22
eventnews[.]live 活动新闻[.]直播	185.219.221[.]30	2023-12-04	2024-02-08
get-location[.]com 获取位置[.]com	192.46.237[.]163	2023-12-04	2024-02-20
vestinfo[.]net 维斯特信息网	87.121.45[.]29	2023-12-04	2024-02-17
thintank[.]co 智库[.]co	5.255.88[.]172	2023-10-25	2024-01-20
fastnews[.]biz 快新闻[.]biz	101.99.75[.]197	2023-11-17	2024-02-18
plinkypong[.]com	146.70.161[.]50	2023-11-29	2024-02-17
peticaonline[.]com	164.215.103[.]143	2023-11-27	2024-02-17
escortbabesluxo[.]com	164.215.103[.]20	2023-11-03	2024-02-13
coazoa[.]com 科索阿[.]com	169.255.59[.]98	2023-11-01	2024-02-19
weekendcool[.]com 周末酷[.]com	185.113.8[.]83	2023-11-18	2024-02-14
qazsporttv[.]com	185.117.91[.]237	2023-12-14	2024-02-17
pelovkin[.]com 佩洛夫金[.]com	185.117.91[.]165	2023-11-29	2024-02-14
plastictoysworld[.]com	185.130.227[.]88	2023-11-28	2024-02-17
tohna[.]net 托赫纳[.]网	185.219.220[.]99	2023-11-02	2024-02-10
notify-service[.]biz 通知服务[.]biz	185.62.58[.]107	2023-11-16	2024-02-01
copy-note[.]net 复制笔记[.]net	185.66.140[.]112	2023-11-29	2024-01-31
zakorn[.]com 扎科恩[.]com	193.168.143[.]111	2023-11-10	2024-02-17
walatparez[.]com	193.233.161[.]137	2023-12-09	2024-02-17
tobupmi[.]com	193.233.161[.]163	2023-11-14	2024-02-16
gabzmus[.]com	193.29.104[.]13	2023-11-14	2024-02-17
msbsck[.]com	193.29.104[.]83	2023-11-16	2024-02-17
mastershop[.]biz	193.42.36[.]84	2023-11-17	2024-02-11
kollesa[.]com 科莱萨[.]com	212.237.217[.]127	2023-11-10	2024-02-17
schedulefestival[.]com 日程安排节日[.]com	213.252.246[.]152	2023-11-16	2024-02-18
post-notify[.]info 后通知[.]信息	23.137.248[.]95	2023-11-17	2024-02-17
dzhabarzan[.]com	37.120.222[.]115	2023-12-08	2024-02-21
shoxtek[.]com	46.30.190[.]98	2023-11-23	2024-02-12
fast-notify[.]com 快速通知[.]com	79.110.52[.]179	2023-12-09	2024-02-19
clazc[.]com	85.239.34[.]174	2023-11-24	2024-02-17
beroxe[.]com	87.121.45[.]45	2023-12-09	2024-02-21
kroal[.]com	91.241.93[.]165	2023-12-08	2024-02-19
rcuples[.]com	98.142.254[.]112	2023-11-28	2024-02-02

MITRE ATT&CK TTPs MITRE ATT&CK TTP

Tactic: Technique 战术：技术	ATT&CK Code 攻击&CK代码
Resource Development: Acquire Infrastructure: Domains 资源开发：获取基础设施：域	T1583.001
Resource Development: Acquire Infrastructure: Virtual Private Server 资源开发：获取基础设施：虚拟专用服务器	T1583.003
Resource Development: Acquire Infrastructure: Server 资源开发：获取基础设施：服务器	T1583.004
Initial Access: Spearphishing Link 初始访问：鱼叉式网络钓鱼链接	T1566.002
Execution: Exploitation for Client Execution 执行：利用客户端执行	T1203