Intellexa Leaks Reveal Zero-days And Ads-based Vector For Predator...

A human rights lawyer from Pakistan's Balochistan province received a suspicious link on WhatsApp from an unknown number, marking the first time a civil society member in the country was targeted by Intellexa's Predator spyware, Amnesty International said in a report.

The link, the non-profit organization said, is a "Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links." Pakistan has dismissed the allegations, stating "there is not an iota of truth in it."

The findings come from a new joint investigation published in collaboration with Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss tech site Inside IT. It's based on documents and other materials leaked from the company, including internal documents, sales and marketing material, and training videos.

Intellexa is the maker of a mercenary spyware tool called Predator that, similar to NSO Group's Pegasus, can covertly harvest sensitive data from targets' Android and iOS devices without their knowledge. The leaks show that Predator has also been marketed as Helios, Nova, Green Arrow, and Red Arrow.

Often, this involves using different initial access vectors like messaging platforms that weaponize previously undisclosed flaws to stealthily install the spyware either via a zero-click or 1-click approach. The attack, therefore, requires a malicious link to be opened in the target's phone in order to trigger the infection.

Should the victim end up clicking the booby-trapped link, a browser exploit for Google Chrome (on Android) or Apple Safari (on iOS) is loaded to gain initial access to the device and download the main spyware payload. According to data from Google Threat Intelligence Group (GTIG), Intellexa has been linked to the exploitation of the following zero-days, either developed in-house or procured from external entities -

One such iOS zero-day exploit chain used against targets in Egypt in 2023 involved leveraging CVE-2023-41993 and a framework named JSKit to perform native code execution. GTIG said it observed the same exploit and framework used in a watering hole attack orchestrated by Russian government-backed hackers against Mongolian government websites, raising the possibility that the exploits are being sourced from a third-party.

"The JSKit framework is well maintained, supports a wide range of iOS versions,

Source: The Hacker News