Predator Tracks: This is how they targeted politicians, citizens and corporations!

In Predator Spyware's technical analysis of illegal spying in Greece, SecNews analyses domain-traps used to infect victims with malware. The findings reveal another dark side of organized crime and how Greek banking institutions and major companies are related.

Predator spyware and its use by the Greek government for the attempted surveillance of PASOK-KINAL president Nikos Androulakis, journalist Thanasis Koukakis and politician Christos Spirtzis, which has been described by the international media as "shady practices" in the wiretapping scandal reminiscent of the worst days of the military rule of the country, has deeply angered the already disillusioned Greek citizens with the Mitsotakis government.

See Still: Predator Greece - Intellexa and KRIKEL behind the interceptions?

Much is said and even more is written about the origin of malware, the way of infection and the "damage" it causes to the victim once it manages to infect his device. And we say "once it manages" to infect the victim as Predator spyware behaves like many malware out there - you need to allow it to infect you by clicking on some phishing link which will be sent via email, SMS, app, etc.

In the case of Mr Androulakis, he received a message that he wrote down exactly: "Let's take this seriously, man, we have to win" followed by the link, which was a spoof of a website that exists and is functioning properly. Although the message appears to have been read an hour after it was received, the fact that Androulakis never clicked on the link is what seems to have saved him from the worst.

But are we sure that such phishing emails and attacks are only targeting prominent personalities and political opponents of the Mitsotakis government? How confident are we that the Predator spyware does not spy on millions of Greek citizens; In the end, the Greek government seems to have bought its "weapon" at a high price from the mysterious Israeli Intellexa, which is linked to the production and use of illegal surveillance software in our country, which is not a ghost company in Greece, but has offices and staff working a few kilometers from the center of Athens and came to Greece with the help of a number of people. So why not make the most of it?

See Still: Interception- 8.000.000€ cost to buy Predator spyware?

The SecNews investigation

SecNews, decided to go a step further the research of the inside story, on the surveillance campaign by the NSA and to consider its use on a more massive scale. This is not only reminiscent of the 'dark days' of governance - as the international media report - but proves that democracy is drowning in the depths of corruption. The investigation reveals that, after all, either surveillance campaign was massively targeted Greek citizens, beyond personalities of the political scene. The technical analysis and research of SecNews began in early July and continues up to the moment of writing this article. Additional information that will be revealed in the coming days will be discussed, connect the dots of the puzzle and reveal new faces that have not yet been reported!

Technical Analysis

The SecNews investigative team, from the moment the eavesdropping scandal broke, believed that the key to the investigation was in the domains-traps. That is, the characteristics of the domains should be investigated in depth, to see if there are more domain- traps, how many of these were used, whether the interceptions were also of unsuspecting Greek citizens beyond the personalities from the world of politics and infections were limited to mobile phones only or extended to the whole range of systems regardless of the device (laptop, smartphone etc.). Such an investigation never seems to have been carried out by the authorities.

In the first instance we need to understand some basic concepts for the creation of the domain names. In order for the specific domains-traps to be functional, the managers had to register them with someone domain registrar (domain name registrar). Providers, based on the legal framework of the country in which they operate, each time a new domain is registered, they store and maintain the registrant's details (email, name, full name, telephone number, IP address of registration, calendar, etc.). Since this data is considered public data when a domain-name is registered, if any third party (e.g. a researcher) wants to see it, they can... if they have the right know-how or tools. Of course, as we understand, this detail in the case of registering a domain whose use is intended for malicious purposes means exposing the criminals. Unfortunately, for investigators in the field of cybersecurity, domain registrar services give an extra option - for just a few dollars - to hide these sensitive data. In this case, the analysts' job becomes more difficult.

In order for domain-traps to infect their victims with malware - in our case predator/cytrox spyware - it is not enough just to create them. Then they have to direct - turn - the DNA records to point to an IP address that identifies the server serving the malware to the unsuspecting user (Command & Control). DNS record is a record used to map a URL to an IP address that is unique (e-trace). DNS records are stored on DNS servers and help users connect their websites to the outside world so that web pages are visible to the internet and can be accessed by users on the World Wide Web from anywhere in the world.

The domains - traps lead to the IP address of the Server containing the malware (via an HTTP/HTTPS server or on any listening service door) which once the victim clicks on the link serves spyware on the device. Criminals choose to rent dedicated servers (either by renting them by the month using stolen credit cards or cryptocurrency) on which they plant the spyware which in turn reaches the victim's device undisturbed and monitors his/her every move.

In the technical analysis conducted by SecNews, we will watch the Route which has just been described and which has revealed facts not seen until this moment of publicity.

It will be studied whether there are more domains - traps, how many of them were used, whether the phishing attacks were also on unsuspecting Greek citizens beyond the personalities from the political sphere, whether the infections were limited to mobile phones only or extended to the whole range of systems regardless of the device (laptop, smartphone, etc.) and whether the phishing attacks were sent only via SMS or other ways were used.

Predator Tracks Technical analysis: FIRST FASEE

Initially, after defining the reference domain (the research domain as shown on the left) we proceeded to extract data via WHOIS/Reverse Whois services. We worked with one of the most specialized industry services the WHOISXML which provided us with access to the data for our research needs. In addition it was used the SecurityTrails service, a powerful Internet Inventory and Attack surface tool.

Our original goal was to retrieve/locate current or past records for

(a) the creation time of each malicious domain

(b) them the servers from which the malware is distributed (through the records I had placed in the DNS for each domain)

(c) them activation/deactivation times of any hacking campaign.

The following material analyses the conclusions of the SecNews survey.

Explanation of the titration of findings

• Reference Domain: The domain names that have been made public.
• IP hosting Server: The IP address/server to which the domain is pointed. This is the "place" (server) to which the victim was sending the malicious link he or she clicked on. Once the user clicked on the link it was transferred to the server where the malicious spyware was located which then took over the device. Consequently, in this IP address contained the malware code and distributed it to unsuspecting victims.
• Service Provider/IP Address Owner: This is the IP registrar, i.e. the registrar of the server, in other words, who owns the specific IP /server.
• Activation date: It is defined as the point in time when each domain starts to be active and pointing to a server IP address. So if the user clicked on the link, they would be taken to the server that served the malware. In other words it is the timestamp where the domain points to the server and distributes the malware. This means that the operator was activating (pointing) to the server at the moment it wished to start distributing the software
• Deactivation date: It is defined as the time at which the domain stops being active and points to a server IP address or the time at which it changes and points to another server-server. So, if the user clicked on the link after the specified date, he would not be redirected to the server that served the malware (therefore he would get a blank screen) or he would be redirected to another server (because, for example, the infrastructure operator wanted to serve another malware).
• On the left is the time when the domain was created in a Domain name Registra (e.g. namecheap). Here, we set the Domain Registration date title to the exact date of registration.
• Comments: Analyst commentary and explanations on the findings.
• Conclusion:  *Domain used for targeting: Domain names have been used to infect victims with predator spyware. *Domain not actively used:The domain names, although registered and purchased, have NOT been used or have been little used for infecting victims with predator spyware.

During the research we created the table below where each domain is shown in detail with the IP addresses associated with it, the service provider and its company server hosting. We also consider the time of creation of malicious domains to be important.

To read the findings we carry out the following procedure:

We want to analyze the domain blogspot.edolio5.com.

We found that the operators of the predator spyware created the domain on the Namecheap service on 9/3/2021. Then, on the very same day 9/3/2021 to 8/9/2021 routed the domain to the VULTR HOSTING service launching the malicious attack campaign. From the IP address 45.32.144.206 distributed the malware to their unsuspecting victims. On 8/9/2021 until 21/12/2021 they changed the routing of the domain to a new server (so we suspect a new hacking campaign) at Contabo ISP. This move implies in re-targeting or sending some test in the previous days before sending mass message to mobile phones. 21/12/2021 to 10/3/2022 the domain does not show anywhere which is interpreted that the campaigns using edolio 5 were stopped. 10/3/2022 to 4/20/2022 the domain is released (remaining registered and pointing to Amazon's service - Namecheap host redirection). We understand that it was activated for a year since the creation was done on 9/3/2021 and expired when namecheap released it for purchase by anyone else.

From the photo published from the mobile phone of Mr. Spritzis, we confirm that the date shown on the mobile phone the server that was used can be determined by the above described procedure. Mr. Spritzis can, by means of a prosecutor's order for international cooperation, request the data from the service provider that at the given time was "pointing" to edolio5.com

In a similar way we can draw our conclusions for the set of domains involved.

At the end of the list provided SecNews has the entire log, so that investigators can conduct additional research on the domains involved.

The file as edited by the SecNews editorial team is available below:

From the study of the above, the SecNews research team proceeded to identify the parties involved (most likely unknowingly providers) who may currently have data on the actions of the malicious operators of the domains and servers used. The European authorities and the relevant Committees of Inquiry should IMMEDIATELY contact the providers that appear (especially with those on European soil) to ascertain the existence of evidence, at a time when, according to media reports there is an attempt in Greece to make evidence disappear.

Among the providers used as registrar - service provider we identified and Greek company (!) Tophost regarding the IP address: 185.4.133.222. The company probably unknowingly provided the registration of the domain live24.com.gr. An investigation in this direction may provide additional information regarding the operator/user of the IP address in cooperation with the Tophost registrar.

It is worth mentioning that the mentioned dates of domain registration/activation/deactivation of the campaigns are important as they can be related to political events that took place on those dates in Greece or abroad. SecNews' assessment is that the start/end dates of hacking predator campaigns are in many cases correlated with political events or people in the news at the time.

Predator Tracks Technical analysis: second FASEE

Next stage, the SecNews research team analyzed the IP of the hosting servers (Command and Control C&C) as they appear in the posted files (photographic material) for further investigation of their use; and possible association with other domain names. Therefore, knowing the IP addresses that at some point in the past the domains had been routed to some servers we searched with Reverse Whois techniques which domains were hosted on IP addresses.

It is common practice for ISPs and malicious users to associate multiple domains to one IP address (a VPS server) for reasons of economy and ease of management.

In cases like the Predator spyware campaign, an IP address will be simultaneously connected to multiple domains and each domain can "serves" a different page/hacking campaign for each target.

In this way we aimed to identify new domain names that have been used as phishing links in messages to potential victims that have not yet been made public.

The SecNews in cooperation with WHOisXML API (a company that provides a comprehensive set of data feeds containing both real-time and historical domains, WHOIS, DNS, IP and cyber threat intelligence datasets) we have identified many more domain names that have been used for malware infection. WhoisXML provided SecNews with full access to their excellent search service for the purposes of the research, so that, we could draw our conclusions accurately because the domains were active in the past tense and there was a possibility that both the servers and the servers used had changed.

The IP address with the trace 72.34.38.64 was found to have 60 trap domains activated and connected according to the RESEARCH.

Upon completion of the investigation, over 60 new domain names were identified - traps that have been used at some point to target unsuspecting victims. The domain names mimic website links from banking institutions, popular services and technology tools among others. Part of the domains were mentioned in the original research of insidestory.gr . But that was not all.

As shown in the following file, criminals have used phishing links with domain names such as

It is concluded that there has been a massive use of phishing links posing as online banking services such as Alpha bank (alhpa.gr.com, my.alpha.gr.com, alpha.gr.com) Eurobank (euroibanking.gr.com) Piraeus Bank (login.piraeusbamk.gr.com, piraeusbamk.gr.com, piareus.gr.com, pireaus.gr.com, app.piareus.gr.com) National Bank of Greece (lbank.gr.com). They also seem to have imitated news websites such as www.money.gr.com and nassosblog.gr.com, the Citroen website, the YouTube but also pages relating to NFT. Only for the IP - server 72.34.38.64 the connected domains are shown in the list below:

For the registration of the above variants subdomains used a service that allows the registration of subdomains under the domain .gr.com. In this case, the .gr.com subdomains are a subclass of .com domains and are an alternative way of registration for those who do not wish to have a .gr domain. As a registrar in some of them the company IDOT Services Limited based in Cyprus. The registrar, if the domains have been purchased, will have details of the buyers or payment details. The domains, at the moment display, the following image for reasons we could not clarify:

The server currently pointing to these domains is the "mail64.honolulu.elinuxservers.com" probably VPS hosting server of the company elinuxservers.com. The fact that the websites show suspended can be translated either that the malicious activity was detected by the service provider or that it was targeted by the malicious Predator operators.

It is worth noting that SecNews readers have previously reported the received domain addresses related to Banks but also with telecommunications providers, as referring to spam email.They have received phishing attempts with links to intercept bank passwords using the above mentioned domains!!!! This has created four new areas of investigation that have not been reported so far:

A) Have politicians or unsuspecting Greek citizens received mail messages NOT on mobile phones but on computer terminals that lead to the above malicious domains?;

B) Were the operators of the above infrastructure using the interception infrastructure for personal reasons but also for illegal profit through phishing in Greek Banks, since the domains associated are all similar to known services of the most important Greek Banks;

C) Were the operators of the above infrastructures hacking into known Greek companies or organizations (Banks, Telecommunication Providers etc.) by drawing personal data Greeks so that they have the ability to carry out more targeted attacks creating huge databases without the knowledge of the companies;

D) Has it been investigated by the competent committees and involved political persons whether they have received on their computers (or on computers of related persons such as secretariats, associates, etc.) corresponding links apart from the mobile phones that were tapped? Has a correlation been made between the activation/deactivation dates of phishing domains and political events in Greece & abroad?

Surveillance systems such as NSO or Intellexa use "chain-exploits" (chain of exploitation). This means that if the user opens the link from a terminal computer then it will run malware properly configured for desktop computers or MacOS and if remote code execution is not possible, it will use a chain of techniques to achieve this. This is particularly common in desktop/laptop hacking.

The SecNews Investigation continues and we will be back soon with additional shocking facts, with people who have not yet come to the forefront.

Note-Invention of particular interest: August 25, 2021, Tal Dilian (shadow person by this time) probably knowing that something big is coming had started SEO campaign (Search Engine Optimization - Reputation management) in search engines, creating a website for his person, under the domain https://taldilian.com/.

This is a common tactic of entrepreneurs and companies who wish to overshadow the potential impact of bad publicity by creating domains and advertising websites. For a former secret service agent and current businessman, such visibility creates impressions and questions as well as the date when the relevant domain registration and advertising campaign started (which activation of the domain was carried out by selecting the option to hide the registrant's data).