What happened?
On 18 July 2021, The Pegasus Project (a collaboration between journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International) reported that they obtained over 50,000 phone numbers of potential targets of the clients of the NSO group, an Israeli Technology firm. The list includes journalists, activists, academics, lawyers, politicians/ government officials, businessmen, doctors, prosecutors and friends and relatives of apparent people of interest for NSO clients.
The NSO Group
Based in Herzliya, near Tel Aviv, Israel, the NSO group is a private Israeli cyberweapons firm that was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and reported a 2020 EBITDA of USD 99 million which accounted for nearly 40% of their revenue.
What is Pegasus?
Pegasus is a military grade spyware developed by the NSO group with the purported intention of assisting nation states and law enforcement to prevent and investigate terrorism, crime, and maintain public safety.
The initial access attack surface available to deploy Pegasus in any victim device is as wide as the device vulnerability exposure, including applications used, permissions granted, and hardware. Pegasus operators have the capability to target a wide range of hardware and application vulnerabilities across multiple OS (Operating Systems) to deploy it, including both Android and iOS devices. The prevention and mitigation would entail a high degree of cyber hygiene, awareness, and operational security.
Allegations of misuse of Pegasus have been raised since 2016, when spear phishing was used as an attack vector to deploy Pegasus. In 2019, Facebook sued the NSO group alleging that Whatsapp servers were used to deploy Pegasus on 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials, and other parties by exploiting a zero-day. The lawsuit claimed that the malware was unable to break the Facebook-owned encryption, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.
Known Clients of NSO using Pegasus
- Azerbaijan
- Bahrain
- Hungary
- India
- Kazakhstan
- Mexico
- Morocco
- Rwanda
- Saudi Arabia
- Togo
- United Arab Emirates (UAE)
Past Events attributed to the NSO Group
Historically, the Pegasus malware has been tied to following events:
Is Pegasus the only Spyware Around?
The textbook definition of Spyware is, “software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.”
Apart from Pegasus, other spyware have been discovered over the last few years. For example, in 2019, Vice reported that an Italy-based development company operating under the title, eSurv, had staged an Android-based malware called “Exodus.” Exodus was discovered by researchers at securitywithoutborders.org, when they found it spying on behalf of the Italian government. The Exodus spyware was uploaded as a legitimate application on Google Playstore and was made available for users to download. Upon analysis, it was observed the malware operated in multiple stages and executed successfully on victims’ devices.
NSO Group claims vetting of its clients to ensure good Human Rights records before onboarding them, which points to a semblance of regulation in deployment and identification of targets.
Impact
- Has the capability to target both android and ios devices
- Pegasus spyware is capable of
- reading text messages
- tracking calls
- collecting passwords
- tracking location
- accessing the target device’s microphone and camera
- harvesting information from apps
- Expose sensitive information of the user
Mitigation
- Install system and application updates, specifically browser updates.
- Do not click on suspicious links in the SMS/Emails.
- Last resort should be reflashing the mobile device.
Note: Pegasus is not a generic malware that targets mass populations.
Technical Analysis of Pegasus
The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:
- Android
- iOS
- Blackberry
- Symbian based devices
Capabilities
Pegasus has the following features:
- Extraction of contacts, emails, photos, files, locations, passwords, processes, intercepts calls and messages.
- Self destruction mechanism to neutralize the application running on target devices to ensure there is no evidence.
Infection Vector
Most of the high profile compromises have been carried out by sending a malicious link to the target victim. And when the target opens the link the Pegasus malware payload gets downloaded and installed on the endpoint.
Agent
An agent is a software component (malware) deployed through covert means on the target device to initiate the surveillance and data collection. The agent code is written based on the architecture specifics of the target endpoint.
Agent Installation
Supported installation vectors require only the phone number/ email used by the target to successfully install the agent. Documented supported installation vectors include:
- Over-the-Air (OTA): In this method of installation, a push message/ notification is sent to the target mobile device. The message triggers the device to download and install the agent on the device covertly. User interaction, such as clicking a link or opening a message, is not required in this process.
- Enhanced Social Engineering Message (ESEM): In this method of installation, the Pegasus operator sends a malicious mail or SMS to the target victim. And when the link is opened the agent gets downloaded and installed on the target endpoint.
The installation vectors used to install the agent when phone number/ email is not available but the target is in close proximity, include:
- Tactical Network Element Installation: In the tactical installation method the target’s phone number is acquired using Base Transceiver Station (BTS). And using the phone number, the agent is installed on the target device. Taking position in the vicinity of the target is, in most cases, sufficient to accomplish the phone number acquisition, and the installation is done remotely.
- Physical Installation: In this method of installation, an operator who has physical access to the device drops the agent onto the target device.
Collecting Data
After installing the agent successfully on the target device, data from multiple sources are collected. The types of collected data include:
- Textual data like SMS, Email, Call History etc.
- Visual data including Photos and Screenshots
- Audio data like audio records
- Files including documents and the like
- Real-time monitoring of the device location
Initial Data Extraction
The following data is collected from the device and sent back to the Command and Control server:
- SMS Records
- Contacts details
- Call history
- Calendar records
- Emails
- Instant Messaging
- Browsing history
Passive Monitoring
After initial data capture, the agent keeps monitoring for new data records such as:
- SMS records
- Contacts details
- Call history (call log)
- Calendar records
- Emails
- Instant Messaging
- Browsing history
- Location tracking (Cell-ID based)
Active Collection
At any given time the malware operator can send a request to the infected device to get the collected data and perform real-time actions on the target device. This data includes:
- Location tracking (GPS based)
- Voice call interception
- File retrieval
- Environmental sound recording (microphone recording)
- Photo taking
- Screen capturing
Pegasus Tactics, Techniques, and Procedures
Based on prior campaigns, Pegasus is known to use exploit chains to deploy the surveillance agent on the mobile device.
- Phase 0x1 (Malicious link and Initial Exploitation): ESEM method of deployment results in a malicious link that an operator can send out to the victim. And when the link is opened, it exploits a browser vulnerability to gain access to the system.
- Phase 0x2 (JailBreaking and agent deployment): After gaining access to the system, kernel level exploits are used to gain complete control over the device (jailbreaking). Once kernel level access is obtained, the final payload that contains the surveillance modules is deployed via kernel level persistence. The agent then installs “application hooks” on the jailbroken devices. Such hooks enable the agent to spy on various applications installed on the device.
- Phase 0x3: In this phase the agent downloads libraries used for doing malicious activities onto the system, these libraries implement sniffing and monitoring of various applications like WhatsApp, Viber etc. These modules also support call and camera recording
Monitoring via Interception
Once the agent is successfully installed on the system, it works closely with the kernel to spy on various applications installed on the device. This is implemented via hooks, as hooks are software components to intercept various system calls to the kernel thus compromising application data sent to kernel for processing.
Self Destruction Mechanism
Pegasus has a self destruction mechanism to wipe out evidence from the compromised system. This includes killing processes related to the agent running the system and clearing modules or libraries used for implementing monitoring activities on the mobile device.
MITRE ATT&CK TTPs
Initial Access
- T1475: Deliver Malicious App via Authorized App Store
Execution
- T1402: Broadcast Receivers
Persistence
- T1402: Broadcast Receivers
- T1400: Modify System Partition
Privilege Escalation
- T1404: Exploit OS Vulnerability
Defense Evasion
- T1418: Application Discovery
- T1400: Modify System Partition
Credential Access
- T1409: Access Stored Application Data
Discovery
- T1418: Application Discovery
- T1422: System Network Configuration Discovery
Collection
- T1435: Access Calendar Entries
- T1433: Access Call Log
- T1432: Access Contact List
- T1409: Access Stored Application Data
- T1429: Capture Audio
- T1512: Capture Camera
Command and Control
- T1438: Alternate Network Mediums
Exfiltration
- T1438: Alternate Network Mediums
Impact
- T1400: Modify System Partition
Indicators of Compromise
Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaign
mongo77usr.urlredirect.net |
str1089.mailappzone.com |
apiweb248.theappanalytics.com |
dist564.htmlstats.net |
css235gr.apigraphs.net |
nodesj44s.unusualneighbor.com |
jsonapi2.linksnew.info |
img9fo658tlsuh.securisurf.com |
pc25f01dw.loading-url.net |
dbm4kl5d3faqlk6.healthyguess.com |
img359axw1z.reload-url.net |
css2307.cssgraphics.net |
info2638dg43.newip-info.com |
img87xp8m.catbrushcable.com |
img108jkn42.av-scanner.com |
mongom5sxk8fr6.extractsight.com |
img776cg3.webprotector.co |
tv54d2ml1.topadblocker.net |
drp2j4sdi.safecrusade.com |
api1r3f4.redirectweburl.com |
pc41g20bm.redirectconnection.net |
jsj8sd9nf.randomlane.net |
php78mp9v.opposedarrangement.net |
References
- https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab
- https://research.checkpoint.com/2019/the-nso-whatsapp-vulnerability-this-is-how-it-happened/
- https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html
- https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html
- https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption
- https://otx.alienvault.com/pulse/60f68942fafbc9a0287b9978