Post

Pegasus Spyware

Posted
By greekbust
41 min read

Pegasus Timeline

From July 2021, the Pegasus Project investigation was formed, which included seventeen news media organisations around the world such as The Guardian, Radio France, Le Monde, Die Zeit, Süddeutsche Zeitung, The Washington Post, Haaretz, Aristegui Noticias, Proceso, the Organised Crime and Corruption Reporting Project, Knack, Le Soir, The Wire, Daraj, Direkt36 and Frontline. This was due to a leak of a list of more than 50,000 phone numbers. Evidence was found that the list of media companies had been targets of Pegasus spyware. However, the CEO of NSO said that the allegations are not reliable and stated that ‘This is an attempt to build something on a crazy lack of information… There is something fundamentally wrong with this investigation’. link

2012

  • The name Pegasus came to light during the trial of former President Ricardo Martinelli during the trial of the Pinchazos case. Multiple sources claim that Pegasus spyware was used in Panama by Ricardo despite the president being deemed not guilty by the Supreme Court. linklink

2013

  • According to multiple sources, documents allegedly revealed that clients of the NSO Group in the United Arab Emirates had used the spyware in 2013. link Furthermore, Pegasus code shows signs of a kernel mapping table that had values all the way back to iOS 7 (released in 2013). link

2014

  • In 2017, There were claims that Pegasus was allegedly used during the 2014 Iguala mass kidnapping by the Mexican government. These claims were however denied by the Mexican government. link

2015

  • Leaks of records from ‘Hacking Team’, an Italian company selling mobile spyware, indicated that the software had allegedly been supplied to the government of Panama in 2015. link

2016

  • In August 2016, Pegasus iOS exploitation was identified after an Arab human rights defender received a text message offering ‘secrets’ by following a link. The human rights defender sent the link to Citizen Lab. Once investigated with the help of Lookout, it was confirmed that the link would have jailbroken the phone and installed Pegasus. (Social Engineering techniques) link
  • According to a former NSO employee, the U.S version of Pegasus contained a 1-click capability for all phones other than blackberry models, which would require an alternative attack. link
  • Sources claim that the NSO Group allegedly pitched the U.S version of Pegasus to the San Diego Police Department who declined it due to the software ‘being expensive’. link
  • On 26 August 2016, NSO’s spokesperson Zamir Bahbash said in a statement that the company’s mission is to provide ‘authorised governments with technology that helps them combat terror and crime’. link

2017

  • In April 2017, Google researchers discovered an Android malware believed to be created by the NSO Group named after Pegasus. The malware was named ‘Chrysaor’. link
  • At the 2017 Security Analyst Summit held by Kaspersky Labs, researchers revealed that an Android version of Pegasus was available. It was stated that its functionality is like the iOS version, but its mode of attack was different. The Android version was reported to try to gain root access and ask the user for permissions that enable it to harvest data. Google also reported that only a few of Android devices had been infected at this time.  link
  • Citizen Lab reported that the Bahrain government acquired access to the spyware in 2017. link
  • In 2017, Citizen Lab reported that the NSO Group used exploit links which may have been sent to Mexican scientists and public health campaigners. link
  • In July 2017, Citizen Lab reported that several members of political opposition groups in Poland were hacked by Pegasus. link

2018

  • Several outstanding lawsuits in 2018 claimed that the NSO Group helped clients violate numerous human rights. link
  • The U.S Central Intelligence Agency allegedly purchased Pegasus for the Djibouti government to conduct counter terrorism operations.  link
  • Estonia allegedly entered negotiations to produce Pegasus and made a $30 million down payment for the tool to use against Russian phones to gather intelligence. Israel decided to deny Estonia access to Pegasus for use against any Russian phone in order to avoid damaging Israeli relations with Russia. link
  • During the Mexican presidential election, claims were made that Pegasus was used to gather recordings of Obrador’s conversation with family and colleagues which were eventually leaked to the public. link
  • In December 2018, The New York Times concluded that Pegasus played a major role in the murder of a Saudi Arabia journalist. link
  • In 2018, Hana Elatr intended to sue the NSO Group, alleging that she was targeted with Pegasus spyware. Elatr prepared a lawsuit in the U.S against the government of Saudi Arabia and the United Arabs Emirates. After Elatr’s arrest in Dubai, the confiscated phone showed that there was an attempt to install Pegasus. link
  • In June 2018, a Saudi Satirist was allegedly targeted by Saudi Arabia with Pegasus, the targeting was later confirmed by Citizen Lab. link

2019

  • In 2019 WhatsApp revealed that Pegasus was exploiting a vulnerability that allowed the application to launch zero-click attacks from a phone call, even if the call isn’t answered. link
  • The German Federal Criminal Police Office allegedly acquired access to Pegasus despite hesitations from its legal counsel. The use of Pegasus was later revealed by German media. link
  • In late 2019, Facebook initiated a lawsuit against the NSO group due to the exploitation of WhatsApp communications between activists, journalists and bureaucrats in India. This then led to accusations that the Indian government was involved with Pegasus. link
  • In 2019, two Moroccan activists were notified by WhatsApp that their phones had been compromised with Pegasus. link
  • Leading up to the 2019 European and Polish parliamentary elections, text messages were stolen from Krzysztof Brejza. This prompted the Polish senate to begin an inquiry into Pegasus. link
  • It was reported that the Ugandan general Muhoozi Kainerugaba brokered a deal to use Pegasus in Uganda paying between $10/$20 million. link Futhermore, It was reported that Ukraine sought to obtain Pegasus to tackle what was seen as a Russia aggression. Israel imposed a near-ban on weapon sales to Ukraine in order to prevent damage to relations with Russia. link
  • It was reported that the Federal Bureau of investigations (FBI) had allegedly secretly brought the Pegasus spyware in 2019. link

2020

  • A report states that between July 2020 and November 2021, Pegasus was deployed on the phones of 22 employees of El Faro, a news outlet in El Salvador. The El Salvadoran government denied responsibility for the espionage, and the NSO group declined to reveal whether the El Salvadoran government was a client. link
  • In June 2020, an investigation into the targeting of the Moroccan journalist Omar Radi led to accusations towards the Moroccan government for the use of Pegasus against the journalist. Amnesty claimed that the attack came after the NSO group updated their policy in September 2019. link
  • According to a report from Front Line Defenders, the mobile phones of six Palestinian activists were allegedly hacked using Pegasus, with reports indicating that the attacks go as far back as July 2020. link
  • In December 2020, it was reported that Saudi Arabia and the United Arab Emirates deployed a zero-click iMessage exploit against two London based reporters and 36 journalists at the Al Jazeera television network in Qatar. link
  • According to other reports, two other attacks were launched against Ben Hubbard, a New York times correspondent covering the middle east during 2020 and 2021. This attack included Zero-click hacking capabilities. link
  • A report by the Citizen Lab revealed that Pegasus was used to hack into the phones at Downing Street and the Foreign Office. The spyware attack happened at No 10 Downing Street on 7 July 2020 and infected the phone of British Prime Minister Boris Johnson. At least five attacks were identified on Foreign Office phones by UK allies, including UAE, between July 2020 and June 2021. link

2021

  • In July 2021, the investigation initiative named Pegasus Project reported that the spyware was still being widely used against high-profile targets. link
  • In December 2021, Google Project Zero documented another exploit named FORCEDENTRY which allowed Pegasus to send an iMessage to its targets containing a JBIG2 image stream allowing for emulating of computer architecture and implementation of zero-click attacks. [link]
  • On 13 September 2021, Apple fixed CVE-2021-30860 which allowed Pegasus to use the JBIG2 image stream to implement its zero-click capabilities. link
  • On 18 July 2021, Amnesty International reported that Pegasus employees a sophisticated C2 infrastructure to deliver payloads and send command to its targets. link
  • An investigation led by Citizen Lab revealed that journalists of 13 El Salvadoran news organisations were targeted between July 2020 and November 2021. link
  • In July 2021, Le Monde reported that the French president Emmanuel Macron and 14 French ministers were flagged as potential Pegasus targets by Moroccan authorities. The allegations were denied by the Moroccan authorities who labelled them ‘unfounded and false’. [link]
  • Various sources claimed that the government of Viktor Orban in Hungary authorised the use of Pegasus by Hungarian Intelligence and law enforcement services. The Orban government were accused of using it to spy on members of media as well as Hungarian opposition. [link][link]
  • In November 2021, Lajos Kosa, Head of the Parliamentary defence and law enforcement committee acknowledged that the countries Interior Ministry purchased and used Pegasus. Furthermore, Kosa admitted that Hungary had purchased Pegasus stating, ‘I don’t see anything objectionable in it’ and ‘Large tech companies carry out much broader monitoring of citizens that the Hungarian state does'. [link][link]
  • In 2021, Phone numbers of Indian ministers, opposition leaders, ex-election commissioners and journalists were allegedly found on a database of NSO hacking targets by Pegasus Project. Phone numbers of Koregaon Bhima activists had compromising data implanted on their computers through a hack found on a Pegasus surveillance phone number list. [link][link]
  • It was reported that the iPhones of four Jordanian human rights activists, Lawyers, and journalists were hacked by an NSO client. The Jordanian government denied involvement after being accused. Sources claim this occurred between 2019 to 2021. [link]
  • A list of 50,000 phone numbers of potential Pegasus surveillance targets was leaked. [link]
  • Evidence from July 2021 revealed that Morocco had allegedly targeted more than 6,000 Algerian phones, including those belonging to politicians and high-ranking military officials. [link
  • In December 2021, Citizen Lab announced that Pegasus was used against Lawyer Roman Giertych and prosecutor Ewa Wrzosek. [link]
  • Ben Hubbard, a New York Times correspondent revealed that Saudi Arabia used Pegasus to hack their iPhone. Sources claim that this targeting occurred repeatedly between June 2018 and June 2021. Furthermore, these attacks were allegedly using the zero-click capabilities including the FORCEDENTRY exploit. Furthermore, Citizen Lab stated in ‘high confidence’ that the attacks were attempted using Pegasus. [link]
  • It was revealed that the smartphones of Prime Minister Pedro Sanchez and Defense Minister Margarita Robles were targeted in May 2021. [link]
  • In August 2021, at a time when Russian troops were amassing on the Ukrainian border, Israel rebuffed a request from Ukrainian delegation wishing to obtain access to Pegasus. [link]
  • On 24 September 2021, The Guardian came out with a report detailing how the telephone of Alaa al-Siddiq was infected with Pegasus for 5 years. [link]
  • An Investigation published in July 2021 stated that the United Arab Emirates used Pegasus to spy on members of the Yemeni government. [link]
  • In October 2021, the British High Court ruled that agents of Mohammed bin Rashid Al Maktoum used Pegasus to hack the phone of his ex-wife, personal assistant and two members of her security team. [link]
  • In December 2021, it was reported that Pegasus spyware was found on the iPhones of at least nine U.S State Department employees all whom were stationed in Uganda or worked on matters related to Uganda. [link]
  • Sources state that the Federal Bureau of Investigation allegedly decided against using any NSO spyware. [link]

2022

  • In January 2022, Bahrain was accused of using the Pegasus spyware to hack a human rights defender, Ebtisam al-Saegh. [link]
  • In January 2022, El Faro, a prominent El Savadoran news outlet, revealed that most of its staff had their phones infiltrated by Pegasus. [link]
  • In January 2022, Finnish foreign ministry reported that several phones of Finnish diplomats had been infected with the Pegasus spyware. [link]
  • In January 2022, it was reported that Pegasus was unlawfully used by the Israeli Police to monitor citizens, as well as foreign nationals who were accidentally or intentionally infected by the software. [link]
  • In August 2022, In London a British judge ruled that Ghanem Almasarir can sue Saudi Arabia for Pegasus Hacking. [link]
  • In April 2022, Citizen Lab reported the widespread use of Pegasus against Catalan politicians and citizens. A total of 63 victims were identified with targets including elected officials. [link][link]
  • In May 2022, the Spanish Defense Minister confessed to the surveillance of 20 people involved in the Catalan independence movement. [link]
  • In 2022, sources revealed that a unit of Abu Dhabi’s Mubadala Investment Company, Mubadala Capital bought the NSO Group in 2019. [link]
  • In April 2022, Citizen Lab released a report stating that Downing Street staff had been targeted by Pegasus, and that the United Arab Emirates was suspected of engaging in the attacks in 2020 and 2021. [link]
  • In April 2022, according to two EU officials and documentation obtained by Reuters, the European Justice Commissioner Didier Reynders and other European Commission officials had been targeted by NSO’s software. [link]
  • On 26 January 2022, reports revealed that mobile phone of Lama Fakih, a US-Lebanese citizen and director of crisis and conflict at Human Rights Watch was repeatedly hacked by a client of NSO Group. [link]

2023

  • On 07 March 2023, Recorded Future reported that two digital rights groups, Mexico's R3D and the University of Toronto’s Citizen Lab, had released an update to their “Ejército Espía” (“Spying Government”) report from October 2022. The report claimed that the Mexican army had purchased the Pegasus spyware and deployed it against at least two Mexican journalists and a human rights advocate between 2019 and 2021. [link]
  • On 18 April 2023, The Citizen Lab reported finding evidence that the NSO Group was hired to use the exploit chains known as PWNYOURHOME, FINDMYPWN and LATENTIMAGE to deploy Pegasus spyware against human rights groups in Mexico, including Centro PRODH. The investigation by Citizen Labe led to the conclusion that in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world. Following the report, Apple issued a HomeKit security update in iOS 16.3.1 and Citizen Lab recommended that high-risk users use the iOS 16 feature known as “Lockdown Mode”.  [link]
  • On 25 May 2023, Citizen Lab, along with other activist researchers, published reports on the use of Pegasus during and after the Nagorno-Karabakh conflict since 2020 [link] [link]. Mobiles devices, all iPhones, were acquired for forensic analysis. Citizen Lab attribute the use of Pegasus to Azerbaijan government entities. Access Now note that it is likely that the Armenian government use a different surveillance product, Cytrox Predator [link]. Two Pegasus operators (licences) were identified, with infrastructure dating back to 2018; Citizen Lab denoted these Bozbash and Yanar. The 12 targets were individuals working in the field of human rights, associated to the UN, media and further education. Exploit chains identified included the familiar FORCEDENTRY, PWNYOURHOME, FINDMYPWN along with KISMET. These affect older versions of iPhones with the familiar KISMET being a zero-click exploit in iMessage.

Pegasus is a spyware developed by the Israeli cyber-arms company named NSO Group and is sold to governments around the world. The spyware can be installed covertly on mobile devices running iOS and Android and is able to exploit them using zero-click exploits. Pegasus can read text messages, track calls, a user’s location and collect their passwords. The spyware can spy on the victim through the microphone and camera. Furthermore, its also able to harvest other information from applications such as Facebook and Telegram. Pegasus was discovered after a failed installation attempt on a human rights activist’s phone. In August 2016, this led to an investigation into its abilities.

Pegasus uses ‘rooting’ and jailbreaking in order to gain root privileges on both iOS and Android. Jailbreaking and ‘rooting’ occur due to exploitation of a vulnerability in both mobile platforms. The spyware can extract contacts, emails, phones, files, location, passwords, processes, intercept calls and messages from various applications. Furthermore, the spyware has the functionality to self-destruct and remove evidence of its existence. Pegasus is developed based on the architecture of the device that the client of the NSO Group specifies. Pegasus is known to target Android, iOS, blackberry and Symbian based devices.

The spyware takes advantage of multiple vulnerabilities in the mobile devices:

VulnerabilityDescriptionCVSS (v3.0)
CVE-2016-4657Webkit in iOS before 9.3.5 allows remote attackers to execute arbitrary code.8.8
CVE-2016-1828The kernel in iOS before 9.3.2 allows attackers to execute arbitrary code in a privileged context via a crafted application.7.3
CVE-2016-4656The kernel in iOS allows attackers to execute arbitrary code in a privileged context via a crafted application.7.8
CVE-2016-4655The kernel in iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted application.5.5
CVE-2021-30860Processing a maliciously crafted PDF may lead to arbitrary code execution.7.8
CVE-2021-30858Processing maliciously crafted web content may lead to arbitrary code execution. This issue was eventually fixed in iOS 14.8.7.8
CVE-2019-8646A remote attacker can leak memory due to an out-of-bounds read. This issue was eventually fixed in iOS 12.4.7.5
CVE-2021-3377The npm package ‘ansi_up’ converts ANSI escape codes into HTML. In ‘ansi_up’ v4, ANSI escape codes can be used to create HTML hyperlinks.6.1

Once the spyware agent is installed on the system it works at the kernel level to spy on various applications implemented using hooks. The spyware uses Over-the-Air (OTA) to install itself through push messages/notifications or a social engineering message to trick the user into clicking its URL which compromises the device. After successful installation data such as audio files, audio recording, application data and textual data like call history can be exfiltrated. Pegasus performs passive monitoring, active collection, data extraction and can track the victim’s location, intercept calls, retrieve files, record through the victim’s microphone, perform screen capture and take photos through the rear facing camera.

On 05 August 2022, Details and screenshots of the prototype version of Pegasus were leaked. The spywares presentation was prepared to the newly appointed head of signals in the Israel Defense Forces cyber unit. The division was separated from a wider intelligence unit and reported to the head of the investigations department at the time. The screenshots reveal the vast amount of control an operator has over the spyware. The screenshots were published by Israeli newspaper Haaretz following an investigation by the country’s government. [link]

On 18 April 2023, The Citizen Lab reported finding evidence that the NSO Group was hired to use the exploit chains known as PWNYOURHOME, FINDMYPWN and LATENTIMAGE to deploy Pegasus spyware against human rights groups in Mexico, including Centro PRODH. [link]

Targets

Targets consist of journalists, activists, academics, lawyers, politicians/government officals, businessmen, doctors, prosecutor and friends and revatives of apparent people of interest for NSO clients. [link]

Protective Mechanisms

iOS

Pegasus uses various protection mechanisms to prevent its source code being exposed, suspicion and to become stealthy on the victim’s device. The spyware achieves this by constantly monitoring the phones battery status. It disables other access to the phone if a victim has jailbroken their device previously. The spyware contains a self-destruct mechanism which complete removes itself. During stage 0x3, Pegasus ensures that the phone won’t receive auto-updates, checks if it’s previously been jailbroken and uses ‘NoIdleSleepAssertion’ to disable the ‘Deep Sleep’ functionality on the phone in order to maintain its ability to run, communicate and monitor its own status.

Pegasus monitors the current state of the device’s reachability to the internet, Sim and cell network information, call information, sim, network notifications and battery life to determine the right time to send its data across a network. The spyware agent can self-destruct to ensure that its product is not discovered. When the software appears to be threatened, it will remove its persistence mechanism by removing ‘rtbuddyd’ and ‘apple.itunesstored.2.csstore’.

Android

Pegasus is constantly checking if the has rebooted or if its about to reboot and is able to reboot itself when needed using its ‘reboot’ command. The Pegasus C2 server can issue a command for Pegasus to be deleted. If the spyware agent is unable to communicate with its C2 server within 60 days or unable to gather a subscriber ID, the spyware will automatically delete itself. Pegasus covers its tracks by deleting ‘ru8IPXbn’ within the browser history by taking advantage of the items within ‘Browser;->BOOKMARKS_URI’ and ‘Browser;->HISTORY_PROJECTION’. Pegasus uses ‘getSettingsFromHistory’ to log the history and bookmarks to achieve this goal. Pegasus logs messages while deleting its browser history using ‘clearHistory’ and ‘removeHistoryByTime’.

During analysis, the spyware would log messages using the ‘Log.i’ method and parse a configuration named ‘/data/myappinfo’ or ‘/system/ttg’. Using the ‘csk’ binary parameters, the spyware looked for ‘cksb.dat’ within the ‘/data’ directory to determine if the device had already been rooted beforehand. If the spyware finds a file named ‘/sdcard/MemosForNotes’, Pegasus will start a removal operation by logging the ‘removeApplication start’ log messages. The spyware eventually removes all the files within the ‘/data/local/tmp/ktmu’ directory.

When the spywares self-destruct functionality is active, if its conditions such as the Mobile carrier are not met, the spyware creates an environment variable using ‘export LD_LIBRARY_PATH=/vendor/lib:/system/lib’. Pegasus then remounts the system directory using ‘mount -o remount,rw /dev/null /system;’. The spyware stops itself using ‘force-stop com.network.android’ and disables itself using ‘disable com.network.android’. To protect itself the spyware is uninstalled using ‘pm uninstall com.network.android’ and its configurations are removed using ‘rm /system/ttg;’. Lastly Pegasus will use ‘chmod 777 /systemcsk; rm /system/csk’ which will delete the binary that granted the application ‘sudo’ capabilities.

T1400: Modify System Partition

Pegasus protects itself by deleting various files during communication with its C2 server. Once Pegasus receives its updates from ‘upgradeCmd’, files such as ‘uglmt.dat’, ‘cuvmnr.dat’, ‘zero.mp3’ are deleted using the ‘File.delete’ function. The ‘SharedPreferences.Editor.clear’ function is used to clear its configuration data that includes ‘NetworkPreferences’, ‘NetworkWindowAddresses’ and ‘NetworkDataList’ when exfiltrating information. While receiving communications from the C2 server, the spyware makes sure that commands are authentic by creating a MD5 hash digest upon receiving them. If the communication received isn’t its usual operations, then Pegasus will change its Boolean values and the command will not be added to the Command queue.

Pegasus verifies if the phone is Roaming using ‘isNetworkRoaming’, if the device is roaming then the ‘romingSetted’ configuration value is disabled and the spyware will no longer be able to receive commands through any of its communication channels. During HTTP communications, the operators can send the intent ‘KILL’ which is received by the ‘PendingIntent’ object. This functionality broadcasts and schedules a countdown to start the self-deletion process on the Android device. Pegasus makes sure that the user is unable to cancel its live surveillance operation by detecting if the phones screen is locked using the ‘inKeyguardRestrictedInputMode’ function.

Persistence Techniques

iOS

Pegasus uses a tool called ‘jsc’ that is part of the iOS environment. Using ‘jsc’, the spyware can perform a memory corruption allowing Pegasus to escalate its privileges. The daemon ‘rtbuddyd’ replaces a copy of ‘jsc’ which is signed. On reboot ‘rtbuddyd’ runs and loads with the parameter ‘—early-boot’ which is linked to ‘ccom.apple.itunesstored.2.cssstore’ allowing Pegasus to re-exploit the kernel each time the system reboots and start its various daemons. The ‘jsc’ script using the ‘—early-boot’ parameter which runs the exploit for CVE-2016-4657 and allows for activation of ‘systemd’, ‘watchdogd’ within the ‘/private/var/root’ directory, thereby making Pegasus persist.

T1645: Compromise Client Software Binary

Android

Pegasus is constantly checking when the device last rebooted or if its about to restart so that it can reload its persistence mechanism. Pegasus uses ‘runProcess cmd=’ to run commands as root from the ‘/system/csk’ binary. Pegasus reads ‘packageVersion’ and ‘vulnarbilityIndicator’ using ‘readSettingsFromBHFile’. Pegasus then copies ‘cksnb.dat’ to ‘/data/data/com.network.android/output.mp3’. Furthermore, there are also indications that the spyware prints ‘copy vulnerability failed. returning false’ if this process fails. The Mp3 file that is copied exploits a vulnerability within the Android media player.

T1404: Exploit OS Vulnerability

Network Behaviour

iOS

The software has multiple stealth communication channels such as SMS. Pegasus uses SMS to update the C2 servers it communicates with using various message formats such as the fake google password reset shown below:

Your Google verification code is:5678429\n

http://gmail.com/?z=FEcCAA==&i=MtphYWxhYW4udHY6NDQzLDE6bWFubJhb25saW51Lm51dDo0NDM=&s=zpvzPSYS674=

The message contains an instruction for Pegasus to update its C2 server. The last number of the verification code is the instruction ID, in this case the instruction ID is 9 which means update its C2 server. Furthermore, some text messages simulate two factor authentication messages from services such as Evernote or Facebook.

Suspicious redirects were saved in the Safaris browser history on some devices infected with Pegasus. These are the URLs from these devices:

  • http[://]yahoo[.]fr/
  • https[://]bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz
  • https[://]gnyjv1xltx.info8fvhgl3.urlpush[.]net:30875/zrnv5revj

The URL beginning with “bun54” uses random URI-like links contained in SMS messages and is visited after redirection from Yahoo. According to Amnesty International, these redirections are a result of network injection attacks performed through tactical devices such as rogue cell towers, or through dedicated equipment placed at the mobile operator. Amnesty International also stated that they found similar records involving this domain when analysing the iPhone of a Moroccan journalist named Omar Radi. [link]

In November 2019, the domain “urlpush[.]net” was registered and used similar redirects to Pegasus. The Pegasus spyware deletes all traces of browsing history, including these redirections. However, visits to domains can still be identified through Safari’s ‘Favicon.db’ database which isn’t deleted by Pegasus. According to a Technical Appendix from Amnesty International, the redirects also occur when navigating the internet with other applications such as Twitter. The attack patterns used against Omar Radi indicated that previewing a link shared on his Twitter time invoked the service ‘com.apple.SafariViewService’ which ultimately loaded Safari WebView where the redirect occurred.

Safari’s Session Resource logs provide artefacts that there are multiple domains used as trampolines that eventually lead to the infection servers. For example, a user could navigate to ‘yahoo[.]fr’, which leads the browser to ‘documentpro[.]org’ and then ‘free247downloads[.]com' which performs the exploit of the device.

The network injection attacks used by Pegasus on a victim ultimately use the same redirect destination. However, these destinations, which perform the exploit normally vary depending on the target.

iOS also maintains records of execution and its network usage within ‘DFataUsage.sqlite’ and ‘netusage.sqlite’. Within the network usage database, the execution of ‘bh’, which is used for the ‘jsc’ vulnerability is evident. The library ‘bh.c’ is used to load API functions that relate to the decompression of the next payload downloaded by Pegasus. Amnesty International state that they suspect that ‘bh’ might stand for ‘BridgeHead’ due to the evident purpose of the BridgeHead module. In some cases, Pegasus runs the ‘msgacntd’ and ‘roleaboutd’ processes which are loaded after successful exploitation and privilege escalation of the BridgeHead payload.

After a French human rights lawyer was targeted with Pegasus, the spyware executed ‘mptbd’ after the ‘bh’ process and executed after the IOS Photos application. Two months later in December 2019, a device was infected with the same network activity from the IOS Photos application. However, in this instance, Pegasus executed ‘ckeblld’ instead of ‘mptbd’. A similar pattern occurred in May 2020 against a French Journalist. Based on this evidence we can conclude that Pegasus launches additional process names such as ‘mptbd’, ‘fservernetd’, ‘ckeblld’ and ‘ckkeyrollfd’ before the ‘bh’ process, after successful compromise.

In 2019, a zero-click zero-day was used for network injection. Forensic evidence suggests that Pegasus can perform iMessage account lookups after extraction of records on a French and Hungarian journalists’ device. These iMessage lookups proceeded with the execution of suspicious processes often containing two-bytes 0x00 padding in the email address record by the ID Status Cache file.

Amnesty International stated they found an iCloud account ‘bogaardlisa803[@]gmail.com’, recorded as linked to the ‘com.apple.private.alloy.photostream’ service. Amnesty International said that it is likely the iCloud accounts are the central delivery of multiple ‘zero-click’ attack vectors in many recent cases.

In 2021, Amnesty International identified another case where network traffic was recorded for the Apple Music service. The HTTP requests were recorded from the network cache, but they were unable to identify if Apple Music itself was exploited to deliver the infection or if the application was abused as part of privilege escalation.

Android 

Pegasus uses the same technique that is used in the iOS version, where a URL is retrieved through SMS. The spyware adds ‘SessionId1’ which is the token stored on the Android device and ‘SessionId2’ which is the AES key used to encrypt the data exfiltrated from the C2 server. Both these parameters are added to the HTTP request that is sent to the C2 server. The HTTP response from the C2 server is parsed and the C2 server responds with one of the four specified functions such as ‘dumpCmd’.

Pegasus can send commands in a SMS message that are disguised as Google authentication codes. In the Android version it gets the index of the message and receives the command from the ‘s=‘ parameter after searching for a string that contains ‘your google verification code’. The spyware uses ‘addCommandToQueue’ and ‘addCommandToQueue’ functions to extract the fields from a command and add it to its Command Queue. Pegasus can send a request to a C2 server to ask for new commands. It sets its intent to ‘httpPing’ and performs a broadcast. The spyware extracts the current location of the device, the name of the operator, the GSM cell ID, the IMEI, IMSI and GSM location area code.

Pegasus can obtain a ‘subscriberId’ which is eventually verified based of its length. The spyware uses ‘SMSManager.getDefault’ to create ‘SMS_SENT’ and ‘SMS_DELIVERED’ which are sent using ‘getBroadcast’ during communications. Pegasus can select the type of communication it uses whether that be HTTP, SMS or MQTT. The spyware can receive commands from any of these channels depending on the environment or configuration set.

T1438: Alternate Network Mediums

During SMS communications, the spyware will send outbound SMS messages to ‘WindowTargetSMS’ which can occur even when the malware has no internet access available. SMS messages sent to ‘WindowsTargetSMS’ are hidden from the user shown below:

IMSI:1

IMEI:0000000000000000

Cell:0

Area:0

Country:310260

Op:0000000005

ack_id WOEzpVjhM6kAAAAAAAAAADYcAAAAAQAAAAY=

The SMS is extracted using the ‘sentTextMessage’ method and verified using the ‘getResultCode’ method. Throughout this process the spyware logs the number of times it sends the SMS using the ‘Log.i’ method. When Pegasus receives the ‘KILL’ intent from the C2 server it creates a ‘HandlerThread’ which performs the self-deletion process. The spyware can choose between SMS or HTTP communication depending on if its parameters are set to ‘0’ or ‘1’.

Pegasus creates a ‘handler’ object and calls the ‘postDelayed’ function for the delay of 5 seconds, its communications are encrypted using AES before it sent to the C2 server during its HTTP request. Some of the commands that the spyware receives can modify its configuration. The configuration options ‘adrate’ and ‘adlocation’ determine if the malware starts its location monitoring functionality.  A command sent to Pegasus can change the SMS number that’s used during SMS outbound communications. This same command can be used to enable its audio surveillance functionality.

The spyware can receive other commands which take photos of the device through the rear-facing camera, request an upload of a file to a directory on the device, toggle the call recording feature and trigger a request to fetch new commands over HTTP. Another command received by the spyware can take photos of the victim through the rear-facing camera. Pegasus then requests an upload of the recording or image to their C2 server. Furthermore, the spyware can toggle its call recording feature at any moment or trigger a request to fetch new commands over HTTP. Pegasus can take advantage of WAP messages to automatically open a link in the browser on a device to autoload content without user interaction. Furthermore, Pegasus can change the devices WAP settings to enable push messages once the functionality is enabled, using the settings shown below:

.replaceAll(“\”pref_key_enable_push_message\” value=\”false\””, “\”pref_key_enable_push_message\” value=\”true\””);

A command can be sent from the C2 server which specifies a directory or file to be exfiltrated. The spyware is able to receive this information through URL parameters such as ‘f=’ and ‘p=’. The specified information is exfiltrated after the program’s intent is set to ‘BroadcastReceivers’. A command can also be sent to the spyware from the C2 server that enables its call recording and audio surveillance if certain conditions are met. If these conditions are met, the C2 server sends a command that sets its ‘windows canada’ configuration to true.

T1402: Broadcast Receivers

T1422: System Network Configuration Discovery

Pegasus can receive a command that allows the attacker to specify a directory to exfiltrate. During this process, the spyware creates a directory called ‘/data/data/com.network.android/chnkr/’ using the ‘mkdirs’ function. The file specified by the operator is copied to the ‘/chnkr’ directory. The malware then sets its intent to ‘BroadcastReceivers’ to send the data to the C2 server. The C2 operator can enable Live Audio Surveillance if the phone receives a call from the attacker’s number which allows capture of the audio through the device's microphone. The phone's screen must be off which is detected by the spyware‘ isScreenOn’ method.

Lastly, during these communications, the spyware can exfiltrate call logs if its ‘romingSetted’ configuration is set to true. This controls how the phone communicates with the C2 server when the device is roaming. 

Other Technical Details

iOS

In the iOS version of Pegasus, the attack starts with a URL sent through SMS, email, social media, or any other messaging to an identified target. Once this URL is clicked, the software exploits and remotely jailbreaks the device then installs software packages. The software installs applications which are used to collect data, spy on the user and exfiltrate messages, calls, logs, and information from various applications.

T1644: Out of Band Data

The applications include Facebook, Line, Mail.Ru, WeChat, Surespot, Tango, VK, WhatsApp, Viber, Skype, Facetime, Telegram and KakaoTalk. The software also reports back what the user does on the device.

Pegasus also compromises applications that are preinstalled such as Calendar and official Apple applications from the AppStore. It achieves this goal by taking advantage of a jailbreak technique called hooking, allowing dynamic libraries into legitimate processes within iOS using Cydia. The malware spies on Phone Calls, Call logs, SMS messages, Audio and video communications.

The spyware has a modular and extensible audio and messaging interception library which intercepts the communicates from every application running on the iOS kernel. The ‘libaudio’ library registers several notification observers that record audio when fired. These observers listen for notifications from the WhatsApp and Viber modules.

T1409: Stored Application Data

T1636: Protected User Data

Pegasus also has access to accounts owned by the target such as banking, email and other services used by the target. The spyware uses three stages to perform these actions. Stage 0x1 takes advantage of the WebKit vulnerability in safari which has been assigned CVE-2016-4657.

T1456: Drive-By Compromise

During stage 0x2, obfuscated and key encrypted packages are downloaded. These packages use a unique key to make it harder for network-based controls to detect its traffic. The packages contain the exploits for the iOS kernel and loader which downloads and decrypts the packages for stage 0x3. Furthermore, the exploit removes ‘/etc/nfs.conf’ which triggers the jailbreak loader ‘/sbin/mount_ntf

During stage 0x3, Pegasus installs hooks into the applications that the attacker wishes to spy on, detects if the device has previously been jailbroken and removes any ‘root’ permissions the user may have. Once stage 0x3 is unpacked, Pegasus replaces the system daemon ‘rtbuddyd’ with a copy of the ‘jsc’ binary which creates a link to a script that is like the exploit CVE-2016-4657.

The iOS kernel exploit takes advantage of CVE-2016-4655 and CVE-2016-4656 and contains a failsafe to remove itself if environment conditions are not met. 

During stage 0x3, ‘test2222.rar’ contains several files, which are used depending on the objectives of the attacker and variant. Identified files include:

File NameDescription
'ca.crt'Certificate that includes the iOS keystore.
'ccom.apple.itunesstored.2.cssstore'JavaScript ran from command line at reboot, used to run unsigned code and jailbreak the kernel on device reboot.
'converter'Injects a ‘dylib’ into a process based of its ‘pid’.
‘libaudio.dylib’The base library used for call recording.
‘libimo.dylib’Imo.im sniffer library.
‘’libwacalls.dylib’WhatsApp sniffer.
‘libvbcalls.dylib’Viber sniffer.
‘lw-install’Spawns all the sniffing services.
'system'Reports and sends files to the C2 server.

According to CiztenLabs, this attack worked from iOS 7.0 upwards to 9.3.4 due to artifacts left behind in some variants of Pegasus. They also note that Pegasus is well designed in terms of efficiency and the kernel exploits call upon Magic Tables for each platform to figure out its version and model. Furthermore, CitzenLab also state that there is evidence that robust quality assurance processes are used during the development of Pegasus due to debugging and QA specific functions within the malware, that are normally only included in enterprise-class software.

T1426: System Information Discovery

Each function location is memory mapped and the code is modular using similar naming conventions to libraries that already exist on the device in order to blend in. During exploitation the jailbreak is tethered/persisted by disabling kernel security protections including code signing, remounting the system partition. The safari cache is also wiped to cover their tracks.

The main payload is installed by running ‘lw-install’ which runs ‘/sbin/lauchctl load’ on ‘.plist’ files dropped in ‘/Library/LaunchDaemons’. These files include ‘/sbin/mount_nfs’, ‘/private/var/mobile/Library/Preferences/com.apple.notes.objectcreation.lock’ and ‘/private/var/mobile/Library/Preferences/SBShutdownCookie’. ‘lw-install’ exports ‘_get_ps’ and ‘_run_process’ which are eventually used for process management.

T1404: Exploitation for Privilege Escalation

The ‘systemd’ process grabs each VCAL file from the calendar and sends it through a message. The software gathers contacts from the system and dumps the victims entire address book. Pegasus is constantly updating and sending the location of the phone to the C2 server. Furthermore, Pegasus also can capture the users’ passwords using the ‘objc_enumerationMutation(v45);’ function.

T1430: Location Tracking

T1636.003: Protected User Data: Contact List

Pegasus also steals the victims’ passwords for Wi-Fi and routers by grabbing all the SSIDs and WEP/WAP keys of each Wi-Fi network the target connects to.

T1421: System Network Connections Discovery

Pegasus can intercept calls from chat messengers by injecting its libraries into their process space dynamically at run time using the ‘converter’ binary. The converter binary is ‘cynject.cpp’ and open-source library used for homebrew applications. The spyware can pull data about calls out of the Skype database on the device, save any calls that skype has previously recorded and obtain and dump the telegram database on the device.

Pegasus is able to intercept WhatsApp messages and calls by listening for notification IDs which are sent from ‘libwacalls’ and handled by ‘libaudio.dylib’. ‘libaudio’ saves audio recordings from WhatsApp calls in the following directory ‘/private/var/tmp/cr/’. ‘Ibwacalls’ checks if the Cydia substrate exists to load and link ‘/usr/lib/libdata.dylib’. If this returns false, then ‘libwacalls’ exits. If it returns true, then ‘libwacalls’ will hook into the ‘CallManager’ and ‘CallLogger’ classes to use the following methods:

  • _CallManager_setCallConnected_hook
  • _CallManager_setCallInterrupted_hook
  • _CallManager_setCallInterruptedByPeer_hook
  • _CallManager_endCall_hook
  • _WACallLogger_addCallEvent_hook

T1429: Capture Audio

These methods allow Pegasus to determine if the call is held, connected, ended and various other information about the call such as its 'peerjid' object. The spyware is able to obtain information from Viber using the ‘libvbcalls’ library which hooks into Viber. In a similar fashion to WhatsApp. The audio recordings are saved in the same directory ‘/private/var/tmp/cr/’ using the same mechanism.

Android

Pegasus’s configuration shows that the malware retrieves a URL that has multiple parameters. The configuration is downloaded using 'rU8IPXbn’ which is the location of the C2 URL and saved within the browser history. The library takes a 'pid' as an argument which injects a 'dylib' into a running process using Mach kernel APIs.

The configuration is eventually saved within a file named ‘NetworkPreferences’ accessible using the Android API. Pegasus can retrieve its configuration from the URL, the URLs parameters are base-64 encoded and are decoded by the spyware. The ‘t=’ parameter extracts the token from the URL where the decoding from base-64 occurs. The spyware uses regex to extract information it needs including the C2 servers, IP Address and the token from the URL. Pegasus uses ‘getUrlInstallationKeyNew ip:’ and ‘getUrlInstallationKeyNew token: ‘ for this functionality. Pegasus eventually calls a function that deleted the URL from the browser history.

The spyware reads URL parameters such as ‘&c’, ‘&a’, ‘&b’, ‘&r’ and ‘&d’. These  parameters provide the spyware with channels of communication from the C2. The spyware can determine its goal based on these parameters. For example, ‘&d’ and ‘&r’ are used for the ‘userNetwork’ configuration to figure out its mobile country code. Pegasus also checks to make sure that the token and target URL is valid using ‘getSettingFromBH’ and ‘isValidSettings’.

The mobile country code ‘userNetwork’ is checked to ensure that the victim is running a device within roaming data. 3 digits of the mobile country code are checked and compared to the values from the configuration when pegasus retrieves it from the URL. The mobile country code is then used to generate a ‘subscriberId’ using the ‘getSubscriberID()’ method. The ‘getSubscriberId’ function obtains the ‘subscriberId’ for when the malware receives the ‘KILL’ intent from a C2 server, which wipes Pegasus from the device when the attacker needs this functionality.

Pegasus targets Facebook and makes all its database files accessible to everyone by setting the files permissions to ‘777’ using ‘chmod’ a command used to change permissions of a file or directory. Pegasus can do this due to the root permissions it gained taking advantage of ‘csk’. Pegasus executes a SQL query which allows Pegasus to gather the message ID, thread, timestamp, sender, group participants and group channel from Facebook:

SELECT messages.msg_id, messages.thread_id, messages.timestamp_ms, messages.text, messages.sender, threads.participants from messages INNER JOIN threads ON messages.thread_id=threads.thread_id

Pegasus uses the ‘chmod 777’ command all Kakao application database information then executes the following SQL query:

SELECT chat_logs.id, chat_logs.chat_id, chat_logs.created_at, chat_logs.message, chat_logs.user_id, chat_logs.type, c.members FROM chat_logs JOIN chat_rooms c ON chat_logs.chat_id=c.id

Pegasus performs the same actions, setting the permissons using ‘chmod 777’ and executing a SQL query for Skype, Twitter, Viber, WhatsApp, Gmail and the default applications within the Android operating system.

The spyware takes advantage of the Gmail application by executing its SQL queries within ‘/data/data/com.google.android.gm/databases/EmailProvider.db’ using the following queries:

select * from messages, select * from Message, select _id from messages order by _id desc limit 1, select _id from Message order by _id desc limit 1

Pegasus steals the passwords and data from the Android Native browser by setting its permissions using ‘chmod’ to ‘777’ and executing the sql query ‘select * from password’.  The spyware collects information from the calendar by extracting calendar events added to the ‘XmlSerializer’ object. The spyware collects the ‘calendarEntry’, ‘recordId’ ‘timestamp’ and other information. Pegasus uses ‘getSystemService’ function to receive data about the location from the network provider depending on a command received from the C2 server.

T1409: Access Stored Application Data

The spyware has 4 main commands that tell Pegasus what actions to perform from its C2 server. The ‘emailAttCmd’ command extracts an email attachment that the C2 server can specify. The malware creates a database that stores the email attachments name and path in the table ‘NetworkData’.

Pegasus uses the ‘camCmd’ command to capture a screenshot of the screen and saves it within the ‘/data/data/com.network.android/’ directory. It can read the screen content by reading its framebuffer device at ‘/dev/graphics/fb0’. Pegasus also uses a binary named ‘/system/bin/screencap -p’ to take screenshots.

T1512: Capture Camera

Pegasus is also able to take pictures using the front or back camera on the device by calling ‘getParameters’ function and ‘getPreviewFormat’. The pictures are all saved in a logical format depending on if the picture was taken from the front or back camera. Furthermore, screenshots are also saved in a similar format and each screenshot includes a timestamp, the format is shown below:

<Front/Back/Screenshot>-res<String>-<timestamp>.jpg

Pegasus uses the ‘dumpCmd’ command used to extract SMS messages from ‘content://sms/sent’ and ‘content://sms/inbox’. Additionally, the spyware will extract the call logs from ‘CallLog.Calls.CONTENT_URI’, contacts from ‘Contacts.CONTENT__UCARD__URI;' and obtain a list of processes running on the device using ‘getRunningAppProcesses’.

Pegasus uses the ‘upgradeCmd’ command to receive updates that are loaded from the ‘/data/com.network.android/upgrade/’ directory. If the location monitoring functionality is stopped, Pegasus sets its intent to ‘finishLocationMonitor’ and calls ‘alarmManager.cancel’.

The spyware must meet certain conditions for its Live Audio Surveillance capabilities to function. First call forwarding must be disabled, the microphone should not be in use at the time, there should be no wired headset connected to the phone, Bluetooth devices shouldn’t be connected, and the phone should not be roaming. The device infected with Pegasus will also check if music is actively playing on the device before enabling its audio capture functionality.

Pegasus can log keystrokes from the user using ‘GetKeyboard’ and ‘readKeyboard’ using the 'libk' binary, copied into ‘/data/local/tmp/’ as ‘libuml.so’. The keystrokes are stored within ‘/data/local/tmp/ktmu’ directory and exfiltrated using XMLSerialiser objects. The keystrokes are saved within a file named ‘ulmndd.tmp’.

T1056.001 Keylogging

Threat Intelligence, Malware
malware spyware
This post is licensed under CC BY 4.0 by the author.