Apple Advisory

On April 10, 2024, Apple issued an advisory regarding threat notifications and defense against mercenary spyware attacks affecting iPhone users in 92 countries. The advisory also noted that, based on public reports and research conducted by civil society organizations, technology companies, and journalists, attacks of such extraordinary cost and complexity have typically been linked to state actors or private companies that create mercenary spyware for them, like Pegasus from the NSO Group. This announcement has attracted widespread attention and media coverage worldwide.

‍

‍

While the advisory suggests the spyware is similar to "Pegasus," many news articles and social media posts have opted to use "Pegasus" in their headlines and updates, likely to capture more attention and heighten urgency resulting in the end reader/viewer misattributing these attacks, spyware and the organizations behind it. 

This article explores how underground sources throughout the deep and dark web have historically leveraged Pegasus's name, logo, and identity, contributing to widespread misrepresentation. It is supported by robust research, evidence, and human intelligence gathered by CloudSEK researchers in recent months.

Investigation

Over the years, CloudSEK researchers have been triaging and investigating incidents occurring in dark and deep web sources, providing visibility into the global threat landscape. We have frequently encountered mentions of Pegasus and NSO Group and observed various activities revolving around them. However, after Apple's recent advisory regarding threat notifications, our researchers began working on this article to delve into different incidents associated with these entities.

One of the major sources covered as part of the analysis is IRC Platforms. CloudSEK researchers have taken into scope around 25k posts on Telegram. A major portion of that includes claims to sell authentic Pegasus source code. Such sale alert posts tend to follow a template offering illicit services but a common pattern observed among these thousands of posts has always been Pegasus and NSO Tools being offered as services. 

‍

Our sources interacted with over 150 potential sellers of Pegasus, which enabled us to gain insight into various samples and indicators shared by these actors. These indicators encompassed the source code of their purported official Pegasus samples, live video demonstrations of samples in operation, the file structure of the samples, and snapshots of the source code.

It was observed that samples named Pegasus HVNC (Hidden Virtual Network Computing) were being propagated the most with 6 unique samples under the same category posted on the deep web between May 2022 and Jan 2024.

‍

‍

‍

The same misuse was also observed on surface web code-sharing platforms, where actors were disseminating their own randomly generated source codes, falsely associating them with the Pegasus Spyware.

‍

The following table contains the list of samples propagating in underground sources claiming to be the official Pegasus Spyware being sold for hundreds of thousands of dollars:

‍

Outcome

After obtaining 15 samples and 30+ indicators from HUMINT, deep & dark web sources, it was discovered that nearly all of them have been creating their own fraudulent, ineffective tools and scripts, attempting to distribute them under Pegasus' name to capitalize on Pegasus and NSO Group's name for substantial financial gain.

‍

A subset of these posts were also found to make Pegasus samples publicly available. CloudSEK researchers have done their analysis on more than 15 unique samples and it was observed that actors have been disseminating malware to compromise end users' devices, leveraging Pegasus’ name to persuade them to download these malicious programs.

In addition to IRC platforms, a similar trend has been noted across multiple underground forums, where perpetrators are marketing samples and openly distributing them, exploiting Pegasus’ name for their monetary gain.

‍

‍

The above research is a testament to the fact that various Threat Actor groups have always been keen to leverage Pegasus’ name to market and profit from their self-created samples. Adding to the intrigue, a recent development on IRC platforms, which has garnered significant attention, aligns closely with our discussions so far. 

‍

On April 5, 2024, a TG group named Deanon ClubV7 announced that they had obtained legitimate access to Pegasus and were offering permanent access for a fee of USD 1.5 million. The group has proudly claimed to be the first to secure access to Pegasus, and have managed to sell four accesses, bringing in a total of $6,000,000, within just two days. Interestingly, the group internally shared and took pride in the same official advisory released by Apple.

‍

‍

‍

‍

‍

Conclusion

This incident isn't isolated, and while nothing specific can be conclusively determined, it raises a crucial question. Are all these internal claims about having access to or a leak of Pegasus' source code, capitalizing on its reputation, merely a ruse and a ploy to distribute and profit from various custom-built spyware, while ensuring they don't attract the same level of attention and remain under the radar? It's important to remember that Pegasus is just a tool—a cyber weapon. Ultimately, the responsibility lies with the users who wield it. 

‍

In light of these events, it's essential to approach attributions of such attacks with caution. Instead of accepting assumptions or potentially implicating individuals or groups, this serves as a reminder to question the narratives we encounter, encouraging a critical examination of our beliefs about the origins of these spyware.

‍