Analysts at the Google Threat Analysis Group (TAG) have discovered that government hackers use five zero-day vulnerabilities at once to install the Predator spyware, created by commercial spyware developer Cytrox.
Let me remind you that we also wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack.
The researchers say they recorded three campaigns that lasted from August to October 2021. In these attacks, the attackers used 0-day exploits targeting Chrome and Android, even on fully updated Android devices. At the same time, exploit experts “with a high degree of confidence” associate these vulnerabilities and their exploitation with Cytrox from North Macedonia.
According to TAG, government hackers purchased and used these exploits to infect Android devices with spyware in Egypt, Armenia, Greece, Madagascar, Cote d’Ivoire, Serbia, Spain and Indonesia.
The following vulnerabilities were used to distribute Predator:
- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome;
- CVE-2021-1048 in Android.
Exploits for these problems were used in three separate campaigns:
- campaign #1 – redirect to SBrowser from Chrome (CVE-2021-38000);
- campaign #2 – Chrome Sandbox Escape (CVE-2021-37973, CVE-2021-37976);
- campaign #3 — a chain of 0-day exploits for Android (CVE-2021-38003, CVE-2021-1048).
The attackers’ ultimate goal was to distribute the Alien RAT malware, which was used to download Predator onto infected devices. This malware received commands from Predator via an IPC mechanism, could record audio, add CA certificates, and hide applications to avoid detection.