Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Anuj Sharma
May 22, 2024
Green Alert
Last Update posted on
May 22, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

Apple Advisory

On April 10, 2024, Apple issued an advisory regarding threat notifications and defense against mercenary spyware attacks affecting iPhone users in 92 countries. The advisory also noted that, based on public reports and research conducted by civil society organizations, technology companies, and journalists, attacks of such extraordinary cost and complexity have typically been linked to state actors or private companies that create mercenary spyware for them, like Pegasus from the NSO Group. This announcement has attracted widespread attention and media coverage worldwide.

While the advisory suggests the spyware is similar to "Pegasus," many news articles and social media posts have opted to use "Pegasus" in their headlines and updates, likely to capture more attention and heighten urgency resulting in the end reader/viewer misattributing these attacks, spyware and the organizations behind it. 

This article explores how underground sources throughout the deep and dark web have historically leveraged Pegasus's name, logo, and identity, contributing to widespread misrepresentation. It is supported by robust research, evidence, and human intelligence gathered by CloudSEK researchers in recent months.

Investigation

Over the years, CloudSEK researchers have been triaging and investigating incidents occurring in dark and deep web sources, providing visibility into the global threat landscape. We have frequently encountered mentions of Pegasus and NSO Group and observed various activities revolving around them. However, after Apple's recent advisory regarding threat notifications, our researchers began working on this article to delve into different incidents associated with these entities.

One of the major sources covered as part of the analysis is IRC Platforms. CloudSEK researchers have taken into scope around 25k posts on Telegram. A major portion of that includes claims to sell authentic Pegasus source code. Such sale alert posts tend to follow a template offering illicit services but a common pattern observed among these thousands of posts has always been Pegasus and NSO Tools being offered as services. 

Snapshot of Templates offering illicit services including Pegasus/NSO Group tools

Our sources interacted with over 150 potential sellers of Pegasus, which enabled us to gain insight into various samples and indicators shared by these actors. These indicators encompassed the source code of their purported official Pegasus samples, live video demonstrations of samples in operation, the file structure of the samples, and snapshots of the source code.

It was observed that samples named Pegasus HVNC (Hidden Virtual Network Computing) were being propagated the most with 6 unique samples under the same category posted on the deep web between May 2022 and Jan 2024.

Snapshot of Pegasus HVNC samples propagating on IRC Platforms

The same misuse was also observed on surface web code-sharing platforms, where actors were disseminating their own randomly generated source codes, falsely associating them with the Pegasus Spyware.

Snapshot from code-sharing platforms 

The following table contains the list of samples propagating in underground sources claiming to be the official Pegasus Spyware being sold for hundreds of thousands of dollars:

Sample Name

MD5/SHA256 Hash

PEGASUS-LIME-HVNC-main.zip

3702DFD61CFCC80592081B8C94B9D5E1D50744FEC375F1E3958CD440A0BD03AC

PegasusHVNCclient-main.zip

5E953E81F81B82E9B8D068201E33721F404834AD1E92959A141024C39EAC25C8

pegasushvnc-main.zip

3371306320ca2b9dda1e1c1e3b92ebd9cf814133e9d4c87feb7bb074979254db

pegasushvnc2-main.zip

9cf46bcfb01bd1963e90f2e763047057275232eba80fbe541b7f3a509e285867

PEGASUS-LIME-HVNC-main.zip

9d080f15c2cdddb27aa5934c30a9ac76e53c1dea8b6bca941ba53e2b65be948c

PegasusHVNCclient-main.zip

d1fd74cc5de27b63530d9501f07450d7b7f6ec816331af858c6cca512217a76d

Pegasus. {ALL Pakages}.zip

60f5d331ac5a55138bbea0d85e844405cee2372c7a4d53c0f2893e4a1ceac635

Assasin 2.3 Pegasus.7z

a447e5f7856e989a2bd3bf782c780f96a873acd04954e63add0ef451b4d62dea

Pegasus Spyware Zero Click.7z

4a5cf1a12144a757d63eb9e7665adb45a5efed8921ffc4ae222d282612472ae2

Outcome

After obtaining 15 samples and 30+ indicators from HUMINT, deep & dark web sources, it was discovered that nearly all of them have been creating their own fraudulent, ineffective tools and scripts, attempting to distribute them under Pegasus' name to capitalize on Pegasus and NSO Group's name for substantial financial gain.

A subset of these posts were also found to make Pegasus samples publicly available. CloudSEK researchers have done their analysis on more than 15 unique samples and it was observed that actors have been disseminating malware to compromise end users' devices, leveraging Pegasus’ name to persuade them to download these malicious programs.

In addition to IRC platforms, a similar trend has been noted across multiple underground forums, where perpetrators are marketing samples and openly distributing them, exploiting Pegasus’ name for their monetary gain.

Snapshot of propagating Malware on IRC channels & underground forums claiming to be official Pegasus Samples
Snapshot of propagating Malware on IRC channels & underground forums claiming to be official Pegasus Samples

The above research is a testament to the fact that various Threat Actor groups have always been keen to leverage Pegasus’ name to market and profit from their self-created samples. Adding to the intrigue, a recent development on IRC platforms, which has garnered significant attention, aligns closely with our discussions so far. 

On April 5, 2024, a TG group named Deanon ClubV7 announced that they had obtained legitimate access to Pegasus and were offering permanent access for a fee of USD 1.5 million. The group has proudly claimed to be the first to secure access to Pegasus, and have managed to sell four accesses, bringing in a total of $6,000,000, within just two days. Interestingly, the group internally shared and took pride in the same official advisory released by Apple.

Snapshot of Deanon ClubV7’s post on access to Pegasus for USD 1.5M

Snapshot of Deanon ClubV7’s post after release of official advisory by Apple

Conclusion

This incident isn't isolated, and while nothing specific can be conclusively determined, it raises a crucial question. Are all these internal claims about having access to or a leak of Pegasus' source code, capitalizing on its reputation, merely a ruse and a ploy to distribute and profit from various custom-built spyware, while ensuring they don't attract the same level of attention and remain under the radar? It's important to remember that Pegasus is just a tool—a cyber weapon. Ultimately, the responsibility lies with the users who wield it. 

In light of these events, it's essential to approach attributions of such attacks with caution. Instead of accepting assumptions or potentially implicating individuals or groups, this serves as a reminder to question the narratives we encounter, encouraging a critical examination of our beliefs about the origins of these spyware.

Author

Anuj Sharma

Security Enthusiast

Predict Cyber threats against your organization

Related Posts

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Blog Image
February 19, 2024

Inaccurate Reporting Regarding RBI Data Breach: CyberExpress by Cyble Erroneously Links Rural Business Incubator (RBI) to Reserve Bank of India and Issues public Advisory

CloudSEK XVigil detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

8

min read

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Authors
Anuj Sharma
Security Enthusiast
Co-Authors
No items found.

Apple Advisory

On April 10, 2024, Apple issued an advisory regarding threat notifications and defense against mercenary spyware attacks affecting iPhone users in 92 countries. The advisory also noted that, based on public reports and research conducted by civil society organizations, technology companies, and journalists, attacks of such extraordinary cost and complexity have typically been linked to state actors or private companies that create mercenary spyware for them, like Pegasus from the NSO Group. This announcement has attracted widespread attention and media coverage worldwide.

While the advisory suggests the spyware is similar to "Pegasus," many news articles and social media posts have opted to use "Pegasus" in their headlines and updates, likely to capture more attention and heighten urgency resulting in the end reader/viewer misattributing these attacks, spyware and the organizations behind it. 

This article explores how underground sources throughout the deep and dark web have historically leveraged Pegasus's name, logo, and identity, contributing to widespread misrepresentation. It is supported by robust research, evidence, and human intelligence gathered by CloudSEK researchers in recent months.

Investigation

Over the years, CloudSEK researchers have been triaging and investigating incidents occurring in dark and deep web sources, providing visibility into the global threat landscape. We have frequently encountered mentions of Pegasus and NSO Group and observed various activities revolving around them. However, after Apple's recent advisory regarding threat notifications, our researchers began working on this article to delve into different incidents associated with these entities.

One of the major sources covered as part of the analysis is IRC Platforms. CloudSEK researchers have taken into scope around 25k posts on Telegram. A major portion of that includes claims to sell authentic Pegasus source code. Such sale alert posts tend to follow a template offering illicit services but a common pattern observed among these thousands of posts has always been Pegasus and NSO Tools being offered as services. 

Snapshot of Templates offering illicit services including Pegasus/NSO Group tools

Our sources interacted with over 150 potential sellers of Pegasus, which enabled us to gain insight into various samples and indicators shared by these actors. These indicators encompassed the source code of their purported official Pegasus samples, live video demonstrations of samples in operation, the file structure of the samples, and snapshots of the source code.

It was observed that samples named Pegasus HVNC (Hidden Virtual Network Computing) were being propagated the most with 6 unique samples under the same category posted on the deep web between May 2022 and Jan 2024.

Snapshot of Pegasus HVNC samples propagating on IRC Platforms

The same misuse was also observed on surface web code-sharing platforms, where actors were disseminating their own randomly generated source codes, falsely associating them with the Pegasus Spyware.

Snapshot from code-sharing platforms 

The following table contains the list of samples propagating in underground sources claiming to be the official Pegasus Spyware being sold for hundreds of thousands of dollars:

Sample Name

MD5/SHA256 Hash

PEGASUS-LIME-HVNC-main.zip

3702DFD61CFCC80592081B8C94B9D5E1D50744FEC375F1E3958CD440A0BD03AC

PegasusHVNCclient-main.zip

5E953E81F81B82E9B8D068201E33721F404834AD1E92959A141024C39EAC25C8

pegasushvnc-main.zip

3371306320ca2b9dda1e1c1e3b92ebd9cf814133e9d4c87feb7bb074979254db

pegasushvnc2-main.zip

9cf46bcfb01bd1963e90f2e763047057275232eba80fbe541b7f3a509e285867

PEGASUS-LIME-HVNC-main.zip

9d080f15c2cdddb27aa5934c30a9ac76e53c1dea8b6bca941ba53e2b65be948c

PegasusHVNCclient-main.zip

d1fd74cc5de27b63530d9501f07450d7b7f6ec816331af858c6cca512217a76d

Pegasus. {ALL Pakages}.zip

60f5d331ac5a55138bbea0d85e844405cee2372c7a4d53c0f2893e4a1ceac635

Assasin 2.3 Pegasus.7z

a447e5f7856e989a2bd3bf782c780f96a873acd04954e63add0ef451b4d62dea

Pegasus Spyware Zero Click.7z

4a5cf1a12144a757d63eb9e7665adb45a5efed8921ffc4ae222d282612472ae2

Outcome

After obtaining 15 samples and 30+ indicators from HUMINT, deep & dark web sources, it was discovered that nearly all of them have been creating their own fraudulent, ineffective tools and scripts, attempting to distribute them under Pegasus' name to capitalize on Pegasus and NSO Group's name for substantial financial gain.

A subset of these posts were also found to make Pegasus samples publicly available. CloudSEK researchers have done their analysis on more than 15 unique samples and it was observed that actors have been disseminating malware to compromise end users' devices, leveraging Pegasus’ name to persuade them to download these malicious programs.

In addition to IRC platforms, a similar trend has been noted across multiple underground forums, where perpetrators are marketing samples and openly distributing them, exploiting Pegasus’ name for their monetary gain.

Snapshot of propagating Malware on IRC channels & underground forums claiming to be official Pegasus Samples
Snapshot of propagating Malware on IRC channels & underground forums claiming to be official Pegasus Samples

The above research is a testament to the fact that various Threat Actor groups have always been keen to leverage Pegasus’ name to market and profit from their self-created samples. Adding to the intrigue, a recent development on IRC platforms, which has garnered significant attention, aligns closely with our discussions so far. 

On April 5, 2024, a TG group named Deanon ClubV7 announced that they had obtained legitimate access to Pegasus and were offering permanent access for a fee of USD 1.5 million. The group has proudly claimed to be the first to secure access to Pegasus, and have managed to sell four accesses, bringing in a total of $6,000,000, within just two days. Interestingly, the group internally shared and took pride in the same official advisory released by Apple.

Snapshot of Deanon ClubV7’s post on access to Pegasus for USD 1.5M

Snapshot of Deanon ClubV7’s post after release of official advisory by Apple

Conclusion

This incident isn't isolated, and while nothing specific can be conclusively determined, it raises a crucial question. Are all these internal claims about having access to or a leak of Pegasus' source code, capitalizing on its reputation, merely a ruse and a ploy to distribute and profit from various custom-built spyware, while ensuring they don't attract the same level of attention and remain under the radar? It's important to remember that Pegasus is just a tool—a cyber weapon. Ultimately, the responsibility lies with the users who wield it. 

In light of these events, it's essential to approach attributions of such attacks with caution. Instead of accepting assumptions or potentially implicating individuals or groups, this serves as a reminder to question the narratives we encounter, encouraging a critical examination of our beliefs about the origins of these spyware.