As part of a terrorism prevention and investigation program, Pegasus is a piece of spyware developed by the Israeli cyber arms firm NSO Group, which can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android.
The NSO Group is a private Israeli cyberweapons firm based in Herzliya, near Tel Aviv, founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. As of 2017, it employed almost 500 people and reported a 2020 EBITDA of USD 99 million that accounted for nearly 40% of revenue.
As revealed in the 2021 Project Pegasus revelations, the current version of Pegasus software can exploit the latest versions of iOS, up to iOS 14.6. Pegasus enables the tracking of all keystrokes (text messages, emails, web searches), phone company tracking, and the acquisition of the mobile phone’s microphone and camera, thus converting it into a constant surveillance tool.
Spyware has been described as one of the most sophisticated phone hacking tools available. The tool has been used several times. Although the Israeli company has stated that they only sell their equipment to governments, they are not responsible for its misuse. Interestingly, the user does not even know their phone has been compromised with this spyware after the hack has occurred. It can access all the apps on your device, including WhatsApp.
Several allegations of Pegasus misuse have been raised since 2016, when spear-phishing was used to deploy the tool. In 2019, Facebook sued the NSO group claiming the group used WhatsApp servers to deploy Pegasus on 1,400 mobile phones to target journalists, diplomats, human rights activists, senior government officials, and other parties. Despite the malware’s ability to bypass Facebook’s encryption, the lawsuit claims the malware instead infected customers’ phones, allowing NSO to access the messages after they were decrypted on the receiver’s device. The clients of NSO that utilize Pegasus include Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, and Saudi Arabia.
Technical Analysis of Pegasus
The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:
Android
iOS
Blackberry
Symbian based devices
Capabilities
Pegasus has the following features:
Extraction of contacts, emails, photos, files, locations, passwords, processes, intercepts calls and messages.
Self destruction mechanism to neutralize the application running on target devices to ensure there is no evidence.
Events attributed to the NSO Group in the past
Following are a few events related to the Pegasus malware in the past:
In previous campaigns, Pegasus was known to deploy surveillance agents on mobile devices via exploit chains.
Attack Methodology :
2014 – 2018
In 2016, researchers captured the earliest version of Pegasus, which was first detected as spear-phishing – an attack that lures the victim into clicking a malicious link via text message or email.
In August 2018 it has been Observed that NSO Infrastructure used in SMS-Based attacks goes offline. In September 2018 free247downloads{.}com Injection domain registered.
Phase 1: (Malicious Link and Initial Exploitation): ESEM allows operators to send out malicious links to their victims. As soon as the link is opened, it exploits a browser vulnerability to access the system.
Phase 2: The second stage of the attack (jailbreaking and agent deployment) involves gaining complete control over the device through kernel exploits (jailbreaking). To deploy surveillance modules, kernel-level persistence must be obtained first. “Application hooks” are then installed on jailbroken devices by the agent. These hooks allow the agent to spy on a variety of applications installed on the device.
Phase 3: The agent downloads libraries to do malicious activities on the system. These libraries sniff and monitor applications like WhatsApp, Viber, etc. In addition to call and camera recording, these modules allow the recording of webcams.
2018 – Present
Until early 2018, NSO Group’s customers targeted targets primarily through SMS and WhatsApp messages with malicious links that resulted in the exploitation and infection of their mobile devices.
Following Trident Exploit, NSO has used multiple “Zero-Day” and “Zero-Click” exploits for installing Pegasus in target devices without requiring any user interaction.
The “Zero-Click” exploit has been discovered in iMessage, iCloud Photo Stream, and WhatsApp. According to Facebook, around 1400 people were affected by NSO Group spreading malware via WhatsApp services in 2019.
In 2019 Amnesty International first observed attackers adopting new techniques to more stealthily and effectively deliver the malware. Using “Network Injections”, attackers are now capable of installing the spyware without requiring any interaction by the target.
Network injections allow for the automatic and invisible redirection of target’s browsers and apps to malicious sites under the attacker’s control.
This type of attack is possible using two techniques: deploying a device commonly referred to as a “rogue cell tower”, “IMSI Catcher” or “stingray”, or by leveraging access to the mobile operator’s internal infrastructure.
In January 2020, Business Insider reported about mobile interception technology NSO Group exhibited during Milipol , a trade show on homeland security held in Paris in November 2019.
This devices act as portable base station and impersonate legitimate cellular towers in order to trick phones in the range to connect to them and enable the attacker to manipulate the intercepted mobile traffic.
As stated in Amnesty’s Detailed Forensic Methodology Report Pegasus can infect as far as iPhone 12 Pro Max device running IOS 14.6 using “zero-click” 0-Day iMessage attack to successfully install Pegasus , with out any interaction from the phone’s owner to succeed.
Monitoring via Interception
Upon installation, the agent works closely with the kernel to spy on the various applications installed on the device. The hack is implemented via hooks, as hooks are software components for intercepting system calls to the kernel, thus compromising data sent to the kernel for processing.
Self-Destruction Mechanism
In Pegasus, deleting evidence from a compromised system is done through self-destruction mechanisms. The process includes killing processes related to the agent running the system and clearing modules or libraries used to implement monitoring activities.
Forensic Analysis And Details Of Exploits
2016’s Trident Exploit
Overview: The attack starts when attacker sends a website URL (through SMS, email, social media or any other media) to a target. The user has to take only one action-click on the link. Once the user clicks the link , the software package can be installed. The only indication that had anything happened will be closes after link is clicked.
The attack can break-down on 3 separate stages that contain both exploit code and the Pegasus software.The stages are sequential; each stage is required to successfully decode, exploit, install, and run the subsequent stage. Each stage leverages one of the Trident vulnerabilities in order to run successfully.
STAGE 1 : Delivery and WebKit vulnerability: This stage comes down over the initial URL in the form of an HTML file (1411194s) that exploits a vulnerability (CVE-2016-4657) in WebKit (used in Safari and other browsers)
STAGE 2 Jailbreak: This stage is downloaded from the first stage. Stage 2 is downloaded as an obfuscated and encrypted package. Each package is encrypted with unique keys at each download, making traditional network-based controls ineffective. It contains the code that is needed to exploit the iOS Kernel (CVE-2016-4655 and CVE-2016-4656) and a loader that downloads and decrypts a package for stage 3.
STAGE 3 Espionage Software : This stage is downloaded by stage 2. Stage 3 contains the espionage software, daemons, and other processes that are used after the device has been jailbroken in stage 2. Stage 3 installs the hooks into the applications the attacker wishes to spy on. Additionally, stage 3 detects if the device was previously jailbroken through another method.The software also contains a failsafe to remove itself if certain conditions are present.
The third stage deploys a number of files deployed in a standard unix tarball (test222.tar), each of which has its own purpose
ca.crt : Root TLS certificate
ccom.apple.itunesstored.2.csstore : Standalone javascript that run from the command line at reboot and is used to run unsigned code and jailbreak the kernel on device reboot
converter : injects dylib in a process by pid.
libaudio.dylib : The base library for call recording
libimo.dylib : imo.im sniffer library
libvbcalls.dylib , libwacalls.dylib : Viber and WhatsApp sniffer
lw-install : Spawns all sniffing services
systemd : Sends reports and files to server
A look at Trident Vulnerabilities
CVE-2016-4657 : Memory Corruption in Safari WebKit
A memory corruption vulnerability exists in Safari WebKit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser
CVE-2016-4655: Kernel Information Leak Circumvents KASLR
Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address Space Layout Randomization (KASLR) makes this task difficult by mapping the kernel into different and unpredictable locations in memory.
The attacker has found a way to locate the kernel by using a function call that leaks a non-obfuscated kernel memory address in the return value, allowing the kernel’s actual memory location to be mapped.
CVE-2016-4656: Memory Corruption in Kernel leads to Jailbreak
This Vulnerability is used to jailbreak the Device. A memory corruption vulnerbility in the kernal is used to corrupt memory.
All the Trident Vulnerabilities are patched and Public Exploit can be found here
Persitance and Self-Distruct
Once the kernel has been exploited, both exploits perform similar tasks to prepare the system to be jailbroken:
Disable kernel security protections including code signing
Remount the system partition and Clear the Safari caches
Write the jailbreak files (including the main loader as /sbin/mount_nfs)
As a final step of stage 2, the exploit removes /etc/nfs.conf which triggers the file to load /sbin/mount_nfs (which is the stage 3 jailbreakloader). Because /sbin/mount_nfs is run as root, the code is run with full privileges.)
The Pegasus software has a highly sensitive self-destruct mechanism to ensure that the product is not discovered. When the software appears to be threatened, it will self destruct, removing its persistence mechanism (removing the cloned rtbuddyd and exploit com.apple.itunesstored.2.csstore described above). Pegasus will also remove all of its libraries (for example, libvbcalls.dylib , libwacalls.dylib )
2019’s WhatsApp RCE (CVE-2019-2568)
Description:
The vulnerability is described as buffer overflow in WhatsApp VOIP stack. It allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
The vulnerability affects WhatsApp for
Android prior to v2.19.134
WhatsApp Business for Android prior to v2.19.44
WhatsApp for iOS prior to v2.19.51
WhatsApp Business for iOS prior to v2.19.51
WhatsApp for Windows Phone prior to v2.18.348
WhatsApp for Tizen prior to v2.18.15.
Exploits based on the flaw happened by calling either a vulnerable iPhone or an Android device via the WhatsApp calling function.And the calls didn’t need to be answered, and often disappeared from logs.
In this case Facebook Sued NSO Group for Using the WhatsApp service to spread malware to almost 1400 Devices.
2019’s iMessage zero-click 0day
Analysis is Based on record found on multiple devices attacked by Pegasus.
As iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.
**In the analysis Following Pattern is Observed. ** 1. Lookup for different emails ID’s by com.apple.madrid (iMessage) – bergers.o79@gmail[.]com – bergers.o79@gmail\x00\x00com – e\x00\x00adavies8266@gmail[.]com 2 Processes Started after email lockups. – 1. roleaccountd : – 2. stagingd : – 3. aggregatenotd : 3 Files created with RootDomain. – Library/Preferences/com.apple.CrashReporter.plist – Library/Preferences/com.apple.CrashReporter.plist
iMessage lookups that immediately preceded the execution of suspicious processes often contained two-bytes 0x00 padding in the email address recorded by the ID Status Cache file.
In mid-2020 it has been identified that new iOS infection technique being used to compromise the devices.
Which also include some of the previous exploit techniques.
Network traffic recorded for the Apple Music service. These HTTP requests were recovered from a network cache file located at _/private/var/mobile/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache._db to the domain opposedarrangement[.]net which has been identified as part of NSO Group’s Pegasus Infrastructure.
Lookup of f\x00\x00ip.bl82@gmail.com by com.apple.madrid (iMessage)
Pegasus request by Apple Music app: https://x1znqjo0x8b8j[.]php78mp9v[.]opposedarrangement[.]net:37271/afAVt89Wq/stadium/pop2[.]html?key=501_4&n=7
Processes executed
roleaccountd
stagingd
Pegasus request by Apple Music app: https://4n3d9ca2st[.]php78mp9v[,]opposedarrangement[.]net:37891/w58Xp5Z/stadium/pop2[.]html?key=501_4&n=7
2021’s iMessage “zero-click” and “0-day”
It has been Observed that Pegasus is using Memory Curruption based attacks.
Memory corruption based 0-click exploits typically require at least the following pieces:
A memory corruption vulnerability, reachable without user interaction and ideally without triggering any user notifications
A way to break ASLR remotely
A way to turn the vulnerability into remote code execution
A way to break out of any sandbox, typically by exploiting a separate vulnerability in another operating system component (e.g. a userspace service or the kernel)
With iOS 14, Apple shipped a significant refactoring of iMessage processing, and made all four parts of the attack harder. This is mainly due to three central changes
The BlastDoor Service :The new BlastDoor service and its role in the processing of iMessages can be studied by following the flow of an incoming iMessage Following Diagram Shows the new iMessege proccesing pipeline.
Re-randomization of the Dyld Shared Cache Region: It’s a Mechanism to re-randomize the location of the shared cache region for an “attacked” process, thus breaking a fundamental assumption of this technique and rendering it ineffective. As Previously, when exploiting an iMessage memory corruption bug, a “crash oracle” could be used to reveal the location of the shared cache region in memory: the attacker would trigger the memory corruption bug in a way that would cause an access to a memory location somewhere in the region 0x180000000 – 0x280000000 (where the shared cache can be mapped). If the memory was valid, no crash would occur and imagent would then send a delivery receipt to the attacker. However, If a crash occurred, no such receipt would be delivered, informing the attacker that the address was unmapped. Through clever selection of the queried addresses, the location of the shared cache could be revealed in logarithmic time, with only about 20 messages. iOS 14 Apple has added Shared Cache Region
Exponential Throttling to Slow Down Brute Force Attacks :After multiple exploits in iOS it was suggested to limit the number of attempts an attacker gets when attempting to exploit a vulnerability. This was mostly important to defend against the crash-oracle technique, but would also help to prevent brute force attacks (e.g., given enough attempts, one could simply brute force the location of the shared cache region). The new ExponentialThrottling feature in launchd achieve that.
Yet in Feb 2021 Amnesty has Observed that iMessege is again used with com.apple.coretelephony to ”zero-click” exploit.
Similar to 2020’s attack but Instead of Apple Music service this time it’s using Core Telephony Service.
Lookup of linakeller2203@gmail.com by iMessage (com.apple.madrid)
com.apple.coretelephony performs an HTTP request to https://d38j2563clgblt[.]cloudfront[.]net/fV2GsPXgW//stadium/megalodon?m=iPhone9,1&v=18C66
Process gatekeeperd executed
gatekeeperd performs an HTTP request to https://d38j2563clgblt[.]cloudfront.net/fV2GsPXgW//stadium/wizard/01-00000000
~250kb of encrypted binary data downloaded in the fsCachedData sub-folder
Attempts to Hide evidence of compromise
Pegasus is recently started to manipulate system database and records in targeted device to hide it’s traces.
But the manipulation becomes evident when verifying the consistency of leftover records in the DataUsage.sqlite and netusage.sqlite SQLite databases.
Pegasus has deleted the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table.
The ZPROCESS table stores rows containing a process ID and the process name.
The ZLIVEUSAGE table contains a row for each running process including data transfer volume and the process ID corresponding to the ZPROCESS entry.
These inconsistencies can be useful in identifying times when infection may have occurred.
Also Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs
After Shut Down of V3 Infrastructure.
NSO Group re-factored their infrastructure to introduce additional layers, which complicated discovery. Nevertheless, we could now observe at least 4 servers used in each infection chain.
Pegasus Anonymizing Transmission Network
Pegasus employs a sophisticated Command and Control (C&C) infrastructure to deliver exploit payloads and send the commands to Pegasus targets. There are 4 known iterations of the C&C infrastructure , Pegasus Anonymizing Transmission Network(PANT).
The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional Internet scanning. PATN also uses up to three randomized subdomains unique per exploit attempt as well as randomized URL paths. After Amnesty International’s report AWS has Shut Down the infrastructure used by NSO to operate Pegasus.
Remediation
After Citizen Lab and Amnesty International’s Report it’s concluded that updating to recent software is not an option to be safe from these type of attacks.
Amnesty International has released Open Source Tool Mobile Verification Toolkit to detect if devise is compromised to Pegasus
Mobile Verification Toolkit (MVT)
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise Android and iOS devices.
Amnesty International uncovered targeted digital attacks against two prominent Moroccan Human Rights Defenders (HRDs) using NSO Group’s Pegasus spyware. According to the research, these targeted attacks have been ongoing since at least 2017. These were carried out through SMS messages carrying malicious links that, if clicked, would attempt to exploit the mobile device of the victim and install NSO Group’s Pegasus spyware.
In addition to SMS messages, they identified what appear to be network injection attacks against a HRD’s mobile network also aimed at installing spyware. Amnesty International suspects that the NSO Group may also be behind these network injection attacks.
These targeted digital attacks against two Moroccan HRDs are symptomatic of a larger pattern of reprisals against HRDs and dissident voices being carried out by Moroccan authorities.
Cartel Project
An investigation by the Cartel Project revealed that a Mexican journalist – editor of the country’s foremost investigative magazine – was targeted with the “Pegasus” spyware sold by the Israeli company NSO Group, according to technical analysis by Amnesty International.
In 2016, Jorge Carrasco, editor-in-chief of the Mexican news weekly Proceso, received a text message from an unknown number: “Hello Jorge. I am sharing this memo that Animal Politico published today. I think it’s important to reshare.”
The message came with a link. “Who is this?” Carrasco texted back. The sender never responded.
Analysis by Amnesty International revealed that the mysterious message was an attempt to gain access to Carrasco’s phone using NSO Group’s Pegasus spyware. When clicked, the link installs an invisible software that sucks all the phone’s data, including text messages. It also enables the microphone and camera to be activated remotely.
NSO’s Statement
Impact
According to Pegasus Project Pegasus has been widely misused The leaked data showed that at least 180 journalists have been selected as targets in countries like India, Mexico, Hungary, Morocco and France, among others. Potential targets also include human rights defenders, academics, business people, lawyers, doctors, union leaders, diplomats,
politicians and several heads of states.
NSO stated that “ Pegasus used only where there [was] a legitimate law enforcement or intelligence-driven reason.” Yet, more than 10,000 phone numbers were selected for surveillance by NSO Group’s Moroccan client alone over a two-year period.
In Dec 2020 The Guardian reported that Mexican Drug Cartel got the access of Pegasus with help of corrupt Mexican Officials , According to a senior DEA official.
IN 2018 Forensic report reveals Jeff Bezos’s phone is hacked using Pegasus.
Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaign :
mongo77usr.urlredirect.net
str1089.mailappzone.com
apiweb248.theappanalytics.com
dist564.htmlstats.net
css235gr.apigraphs.net
nodesj44s.unusualneighbor.co
img9fo658tlsuh.securisurf.com
pc25f01dw.loading-url.net
dbm4kl5d3faqlk6.healthyguess.com
img359axw1z.reload-url.net
css2307.cssgraphics.net
info2638dg43.newip-info.com
img87xp8m.catbrushcable.com
img108jkn42.av-scanner.com
mongom5sxk8fr6.extractsight.com
img776cg3.webprotector.co
tv54d2ml1.topadblocker.net
drp2j4sdi.safecrusade.com
api1r3f4.redirectweburl.com
pc41g20bm.redirectconnection.net
jsj8sd9nf.randomlane.net
php78mp9v.opposedarrangement.net
Does Pegasus represent the only spyware out there?
There have been other types of spyware discovered over the last few years besides Pegasus. According to Vice News, an Italian company operating under the name eSurv staged an Android malware called “Exodus” in 2019. Researchers at securitywithoutborders.org discovered it when they discovered that it spied for the Italian government. The Exodus spyware was posted on Google Playstore as a legitimate application, and users were invited to download it. After analysis, it was found that the malware operated in multiple stages and was successfully executed on victims’ devices.
The NSO Group claims that it vets clients for their Human Rights records before onboarding them in the deployment and target identification process.
