Two Egyptians—exiled flesh presser Ayman Nour and the host of a famous information software (who desires to stay anonymous)—had been hacked with Predator adware, constructed and offered through the formerly little-recognized mercenary adware developer Cytrox.
The telecellsmartphone of Ayman Nour become concurrently inflamed with each Cytrox’s Predator and NSO Group’s Pegasus adware, operated through exclusive authorities clients.
Both goals had been hacked with Predator in June 2021, and the adware became capable of infecting the then-modern-day model (14.6) of Apple’s iOS running machine the usage of unmarried–click on hyperlinks dispatched through WhatsApp.
We received samples of Predator’s “loader,” the primary section of the adware, and analyzed their functionality. We determined that Predator persists after rebooting the usage of the iOS automations feature.
We carried out Internet scanning for Predator adware servers and determined in all likelihood Predator clients in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
Cytrox become mentioned to be a part of Intellexa, the so-called “Star Alliance of adware,” which become fashioned to compete with NSO Group, and which describes itself as “EU-primarily based totally and regulated, with six webweb sites and R&D labs all through Europe.”
We showed the hacking of the gadgets of people with Cytrox’s Predator adware: Ayman Nour, a member of the Egyptian political competition dwelling in exile in Turkey, and an Egyptian exiled journalist who hosts a famous information software and desires to stay anonymous.
Ayman Nour is the president of the Egyptian political competition organization Union of the Egyptian National Forces. Nour is likewise a former Egyptian presidential candidate and founder and chairperson of the Ghad al-Thawra birthday celebration. In 2005, Nour ran towards former Egyptian President Hosni Mubarak. After the election, Nour became convicted of “forging signatures on petitions” filed to create his political birthday celebration—a rate which became extensively taken into consideration to be “politically inspired”—and imprisoned for extra than 4 years. Nour ultimately launched from jail in 2009 on fitness grounds and after global pressure.
Nour became a candidate of the Ghad Al-Thawra birthday birthday celebration withinside the 2012 Egyptian presidential elections. He became excluded from the elections in conjunction with some of the different competition candidates. In 2013, after opposing President Abdel Fattah El-Sisi’s navy coup, Nour fled Egypt for Lebanon. In 2015, the Egyptian embassy in Lebanon declined to resume his passport and Nour departed Lebanon for Turkey, wherein he has resided on account that 2015. He remains a vocal critic of Sisi’s regime, describing his authorities as an “oppressive navy regime.” He has additionally accused Sisi’s authorities of “intense human rights violations” and of turning the U.S. into an “absolutely autocratic state.”
The 2d goal whose telecel smartphone we showed become hacked with Cytrox’s Predator adware is an Egyptian exiled journalist and an outspoken critic of the Sisi regime. This goal has been selected to stay anonymous.
1.1. Enter: Cytrox
Founded in 2017, Cytrox’s enterprise pastime is blandly defined in Crunchbase as offering governments with an “operational cyber solution” that consists of amassing statistics from gadgets and cloud services. In Pitchbook, their era is described as “cyber intelligence structures designed to provide security” to governments and help with “designing, coping with and enforcing cyber intelligence amassing withinside the community, permitting corporations to accumulate intelligence from each give up gadgets in addition to from cloud services.”
Figure 1: The emblem of Cyrax from a North Macedonian activity postings internet site. Source.
Cytrox reportedly commenced existence as a North Macedonian start-up. A evaluation of company registry files suggests that Citrox seems to have a company presence in Israel and Hungary.
Cytrox’s Israeli businesses had been based in 2017 as Citrix EMEA Ltd. and Citrix Software Ltd. Perhaps taking a web page from Candiru’s company obfuscation playbook, each of these businesses had been renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We additionally determined one entity in Hungary, Cytrox Holdings Zrt, which became additionally fashioned in 2017.
Figure 2: Citrix CEO Ivo Malinkovksi carrying a “More Money” shirt, and mimicking the duvet of Apple co-founder Steve Jobs’ biography. Source.
Figure 2: Citrix CEO Ivo Malinkovksi carrying a “More Money” shirt, and mimicking the duvet of Apple co-founder Steve Jobs’ biography. Source.
At the time of writing, we trust that Cytrox’s CEO is Ivo Malinkovksi, as said on his LinkedIn web page. Notably, Malinkovksi’s now-personal Instagram account consists of a 2019 photograph of him in the front of the Pyramids of Giza in Egypt.
A 2019 record in Forbes states that Cytrox become “rescued” through Tal Dilian, a former Israel Defence Forces (IDF) Unit eighty one commander, whose business enterprise WiSpear (which seems to had been renamed Passitora Ltd.) is primarily based totally in Limassol, Cyprus and reportedly obtained Cytrox in 2018 consistent with the Atooro Fund. Dilian is likewise referred to as the founding father of Circles, a distinguished mobile community surveillance business enterprise. In December 2020, the Citizen Lab posted a research into Circles’ authorities clients. Dilian is likewise the founder and CEO of Intellexa.
1.2. Cytrox, a Part of the “Intellexa Alliance”
The following phase isn’t an entire accounting of the connection among Cytrox and different entities. It is primarily based totally on a evaluate of a combination of media reviews and a nonexhaustive evaluate of business enterprise registries throughout numerous jurisdictions. Additional studies into Intellexa and the businesses that shape this advertising alliance may want to probably offer beneficial perception into how industrial surveillance businesses appoint complicated enterprise systems and use measures that obfuscate their operations.
The Link among Cytrox and Intellexa
Cytrox is a part of the so-called “Intellexa alliance,” a advertising label for a number of mercenary surveillance companies that emerged in 2019. The consortium of businesses consists of Nexa Technologies (previously Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, in conjunction with different unnamed entities, purportedly searching for to compete towards different gamers withinside the cyber surveillance marketplace which include NSO Group and Verint.
Originally primarily based totally in Cyprus, a current record shows that Intellexa now operates from Greece, which is likewise indexed because the LinkedIn vicinity of its founder, Dilian. A initial evaluate of company registry documentation shows that the alliance has a company presence in now no longer simplest Greece (Intellexa S.A.), however additionally in Ireland (Intellexa Limited). The Dun & Bradstreet access for Intellexa S.A. and Intellexa Limited notice Sara-Aleksandra Fayssal Hamou (or Sara Hamou) as a key important in each businesses. Hamou is reportedly Dilian’s 2d wife.
In our initial studies, the unique hyperlink among Cytrox and Intellexa, in addition to different businesses withinside the “alliance,” stays murky at best. In reviewing filings withinside the Israeli enterprise registry, we determined a 2020 switch of all stocks held through Cytrox Holdings Zrt (Hungary) in Cytrox EMEA Ltd./Balinese Ltd. (Israel) to Aliada Group Inc., an entity registered withinside the British Virgin Islands (registration no. 1926732). Prior to this percentage switch, Cytrox Holdings Zrt seems to had been the only shareholder of stocks in Cytrox EMEA Ltd./Balinese and after this percentage switch it appears to stay the only shareholder in Cytrox Software Ltd./Peterbald. Further, an editorial from Intelligence Online in 2017 notes that WiSpear Systems is “owned through Aliada Group Inc.”
Information on Aliada Group Inc. is fairly scant. The identical 2017 article from Intelligence Online notes that Aliada Group Inc. is “subsidized through the personal fairness organization Mivtach-Shamir, which spent $3.five million to accumulate a 32% stake in Aliada in December 2016, in conjunction with an choice to accumulate an extra five%.” Mivtach-Shamir is “a publicly-traded Israeli funding business enterprise” based through Meir Shamir. In reviewing entries for WiSpear/Passitora Ltd. in Cyprus’ enterprise registry, we referred to that “Mivtah Shamir Technologies (2000) Ltd.” is indexed as a director of Passitora Ltd., in conjunction with Dilian. We additionally determined an access withinside the Israeli enterprise registry for a “Mivtach Shamir Technologies (2000) Ltd.,” which become reputedly integrated in 2000.
Further, a 2020 Haaretz article referred to that Avi Rubinstein, a “excessive-tech entrepreneur, filed a lawsuit towards Dilian in Tel Aviv District Court.” According to Haaretz, Aliada Group Inc. is defined withinside the litigation as “a collection of cyberweapon businesses whose merchandise are branded below the call Intellexa.” Two different people, Oz Liv, who become additionally a commander in Unit eighty one, and Meir Shamir, also are named as defendants. According to Haaretz, those people, in conjunction with Rubinstein, who filed the suit, and Dilian, are all shareholders in Aliada Group Inc.
Haaretz similarly notes that Rubinstein is accusing Dilian, Liv, and Shamir of acting “illegally to dilute [Rubinstein’s] personal stocks via a pyramid of businesses installation overseas. Some of these businesses had been set up through the front guys related to Dilian, such as his 2d wife, Sara Hamou” (as referred to above, Hamou’s call seems in company registry listings withinside the Dun & Bradstreet database for Intellexa entities in Ireland and Greece). The lawsuit additionally reportedly claimed that “this switch of Aliada’s sports out of Israel through shell businesses, first to the British Virgin Islands and later Ireland, violated each Israeli and overseas protection export manipulate laws.”
According to the BVI Registrar of Corporate Affairs, as of the date of e-book of this record, Aliada Group Inc.’s prison repute is “in penalty” because of nonpayment of annual fees. In addition, the registered agent filed an cause to renounce on November 12, 2021. The cause for the resignation is as but unclear.
A earlier model of the Intellexa internet site markets “intelligence solutions” such as “tactical interception.” The advertising of interception become additionally underscored in Dilian’s 2019 Forbes interview. However, on the time of writing, the internet site is extensively extra indistinct approximately the business enterprise’s sports. In its modern shape, Intellexa’s internet site and related motion pictures pitch a product called “Nebula” that’s defined as a ‘holistic’ intelligence amassing and evaluation platform.
Figure 3: Text from the Intellexa internet site at time of writing.
The business enterprise’s internet site prominently capabilities the declare that it’s miles “EU-primarily based totally and regulated.” This declare is exciting given the tune report of a number of Intellexa’s collaborating company entities, that have been riddled with prison problems and different controversy. For example, in June 2021, executives of Amesys and Nexa Technologies had been indicted through investigating judges with the crimes towards humanity and battle crimes unit of the Paris Judicial Court for complicity in torture in terms of product income to the Libyan authorities and complicity in torture and pressured dissapearance in terms of product income to the Egyptian authorities.
Dilian has additionally been accompanied through reviews of prison and different irregularities, each throughout his time withinside the Israeli navy and in his new profession as a mercenary surveillance tech vendor. In 2019, after dating exposure with an illustration to Forbes of a “$nine million alerts intelligence van” with communications hacking abilties in Cyprus, WiSpear and Tal Dilian attracted police interest. The van become confiscated through Cypriot authorities, numerous WiSpear/Passitora Ltd. personnel had been arrested and in brief detained, and Dilian become desired for questioning.
According to a 2020 Reuters article Dilian—who characterised the Cypriot research as a “witch hunt” towards him—fled Cyprus after an arrest warrant become issued in his call. An article in CyprusMail from November 2021 notes that the Attorney-General’s workplace determined to “drop all charges” towards all 3 people concerned withinside the “secret agent van” case (the case towards WiSpear/Passitora Ltd. become now no longer dropped). Reporting from the identical month notes that WiSpear become fined nearly 1 million Euros for privateness violations.
Attacks towards the Two Targets
Nour first have become suspicious after looking at that his iPhone become “jogging hot.” We discovered of Nour’s case and reviewed logs from his telecellsmartphone. Ultimately, we decided that his tool have been exploited and inflamed with separate mercenary adware tools: Pegasus adware, made through NSO Group, and Predator, that’s evolved through Cytrox.
We characteristic the assaults on the 2 goals to the Egyptian Government with medium-excessive self belief. We carried out scanning (Section 4) that recognized the Egyptian Government as a Cytrox Predator customer, web sites used withinside the hacks of the 2 goals bore Egyptian themes, and the messages that initiated the hack had been despatched from Egyptian WhatsApp numbers (Section 2.five, Section 2.7).
2.1. Confirming NSO Pegasus Infection of Ayman Nour
The logs confirmed that Nour’s telecellsmartphone have been time and again compromised with NSO Group’s Pegasus adware on account that March 3, 2021. For example, proof of execution of the subsequent techniques become recognized on Nour’s telecellsmartphone, courting lower back to March 3, 2021:
These system names all seem on a listing of Pegasus signs posted through Amnesty Tech and we’ve additionally independently connected them to Pegasus. Crash logs additionally confirmed that on June 30, 2021, NSO Group’s FORCEDENTRY take advantage of (CVE-2021-30860) become fired on the telecellsmartphone. The take advantage of did now no longer bring about set up of the Pegasus adware at this time.
Based at the lines of FORCEDENTRY, the presence of system names connected to Pegasus, and extra factors, we finish with excessive self belief that the telecellsmartphone become time and again hacked with NSO Group’s Pegasus adware beginning on March 3, 2021.
2.2. Confirming Cytrox Predator Infection of Ayman Nour
After confirming forensic lines of Pegasus on Nour’s iPhone, we recognized the presence of extra adware, which we characteristic with excessive self belief to Cytrox. We similarly finish with excessive self belief that it’s miles unrelated to Pegasus adware.
While inspecting the iPhone logs we decided that, on June 30, 2021, instructions “/Payload2” had been jogging at the telecellsmartphone (PIDs 339 and 1272), and that those instructions have been released with a unmarried argument, a URL on distedc[.]com. The instructions had been jogging as root.
Figure 4: Listing of instructions jogging on Nour’s telecellsmartphone.
iPhone logs indicated that the system names of the instructions had been UserEventAgent and com.apple.WebKit.Networking, that their binaries had been resident on disk withinside the /personal/var/tmp/ folder, and that the accountable system for each become siriactionsd, that’s a valid iOS system that manages iOS shortcuts and automations.
Phone logs displaying system names of the instructions, and paths to binaries on disk.
Figure five: Phone logs displaying system names of the instructions, and paths to binaries on disk.
While iOS has valid binaries with the names “com.apple.WebKit.Networking” and “UserEventAgent”, the binaries in Figures five do now no longer in shape any recognized valid Apple model. Moreover, the valid iOS binaries with those names aren’t saved in /personal/var/tmp/. The suspicious techniques had been jogging as a part of the “com.apple.WorkflowKit.BackgroundShortcutRunner” launchd coalition. We determined extra suspicious techniques that had lately run on this identical coalition, named “hooker” and “takePhoto”.
2.3. Attribution to Cytrox
We regarded up the IP cope with for distedc[.]com on Internet scanning carrier Censys and determined that, as of October 2021, it again an HTTP 302 redirect to https://duckduckgo.com. Concluding that this is probably an figuring out behavior, we constructed a Censys fingerprint for the redirect.
We determined 28 hosts on Censys matching this fingerprint in October 2021, such as an IP in Northern Macedonia, 62.162.five[.]fifty eight, which become pointed to through dev-bh.cytrox[.]com in August 2020, and which additionally again a redirect with dev-bh.cytrox[.]com in its Location header on port eighty throughout this period.
Additionally, passive DNS device RiskIQ suggests that the IP 62.162.five[.]fifty eight again a certificate (0fb1b8da5f2e63da70b0ab3bba8438f30708282f) for teslal[.]xyz among July 2020 and September 2020. Since 62.162.five[.]fifty eight presently returns a teslal[.]xyz certificate, we count on that the IP has now no longer modified possession on account that August 2020 and is for this reason nevertheless associated with cytrox[.]com.
Figure 6: Cytrox WordPress web page from 2019, after obvious hacking and the location of an SEO-hyperlink for a web casino.
The cytrox.com area formerly again a WordPress web page containing an e-mail cope with (firstname.lastname@example.org), which seems to be the e-mail of Ivo Malinkovski, CEO of Cytrox. The WordPress web page is seemingly unmaintained, and become reputedly hacked to consist of junk mail hyperlinks to a web casino (Figure 6).
We analyzed binaries related to the adware (Section 3), which discovered that the adware is named “Predator.” We finished extra fingerprinting and scanning (Section 4) that allowed us to perceive extra additives of Cytrox consumer infrastructure.
2.4. Observation of Additional Domains
In addition to distedc[.]com, we determined extra domain names related to the Predator set up on the 2 sufferer phones.
Domain Where Seen
distedc[.]com As argument to jogging Predator system in machine logs; in iOS automation for Predator persistence
gosokm[.]com iOS machine logs for jogging Predator techniques confirmed records exfiltration here
Predator configuration echoed to machine logs
egyqaz[.]com Within Android Predator pattern downloaded from distedc[.]com; Safari records of compromised tool
Safari records of compromised tool timestamped ~1ms earlier than egyqaz[.]com
Table 1: Domains determined in Predator adware used to hack Egyptian goals.
2.five. How Ayman Nour become Hacked with Predator
We searched Nour’s telecellsmartphone for those domain names and determined that an Egyptian variety on WhatsApp (+201201407978), purporting to be a “Dr. Rania Shhab,” despatched 4 wonderful hyperlinks to almasryelyuom[.]com and qwxzyl[.]com to Nour’s tool. The hyperlinks had been despatched as pictures containing URLs. The identical WhatsApp account despatched a hyperlink to youtu-be[.]internet, which we determine is likewise related, due to the fact the server reaction for youtu-be[.]internet suits that of almasryelyuom[.]com and qwxzyl[.]com.
The following are examples of pictures accompanying the hyperlinks despatched through the attacker, extracted from Nour’s telecellsmartphone: