Cisco Talos

Asheer Malhotra

Intellexa and Cytrox: From fixer-upper to Intel Agency grade spyware

Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Intellexa, a conglomerate of commercial spyware creators, was born out of the merger of existing mercenaries: Nexa Technologies, WiSpear and Cytrox, a Macedonian company focused on the Android platform. The spyware created by Intellexa consists of highly modular and versatile spyware, deployed via zero day attacks against a variety of victims targeted by unscrupulous state-related actors all over the world. From the moment Cytrox was “rescued” by Intellexa, it started to revamp their suite of spyware called ALIEN/PREDATOR. Based on code analysis and OSINT, this presentation will take the audience through a time travel describing key milestones for capability building, hiring, sales pitch and finally the delivery of their solution to potential customers.

Throughout our presentations we will share the fundamentals of our analyses providing the audience with insightful techniques that can be replicated in their own research, and eventually helping in the construction of timelines based on binary analysis.
We breakdown all major events in ALIEN and PREDATOR’s development cycle leading up to the first campaigns ever attributed to Cytrox, highlighting their operational tactics along the way.

Finally we will make a code level review through the different components of the spyware followed by high-level comparison between the ALIEN/PREDATOR tag team and the solo PREDATOR for iOS, the reasoning behind such platform specific differences while illustrating that ultimately the core and capabilities of the spyware are basically the same.

Asheer Malhotra is a threat researcher specializing in threat intelligence, malware analysis, detection technologies and threat disclosures within Cisco Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.

Asheer-Malhotra