🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Everything You Need to Know about the Pegasus Spyware
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoOn 18 July 2021, The Pegasus Project (a collaboration between journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International) reported that they obtained over 50,000 phone numbers of potential targets of the clients of the NSO group, an Israeli Technology firm. The list includes journalists, activists, academics, lawyers, politicians/ government officials, businessmen, doctors, prosecutors and friends and relatives of apparent people of interest for NSO clients.Â
Based in Herzliya, near Tel Aviv, Israel, the NSO group is a private Israeli cyberweapons firm that was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and reported a 2020 EBITDA of USD 99 million which accounted for nearly 40% of their revenue.
Pegasus is a military grade spyware developed by the NSO group with the purported intention of assisting nation states and law enforcement to prevent and investigate terrorism, crime, and maintain public safety.
The initial access attack surface available to deploy Pegasus in any victim device is as wide as the device vulnerability exposure, including applications used, permissions granted, and hardware. Pegasus operators have the capability to target a wide range of hardware and application vulnerabilities across multiple OS (Operating Systems) to deploy it, including both Android and iOS devices. The prevention and mitigation would entail a high degree of cyber hygiene, awareness, and operational security.
Allegations of misuse of Pegasus have been raised since 2016, when spear phishing was used as an attack vector to deploy Pegasus. In 2019, Facebook sued the NSO group alleging that Whatsapp servers were used to deploy Pegasus on 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials, and other parties by exploiting a zero-day. The lawsuit claimed that the malware was unable to break the Facebook-owned encryption, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.
Historically, the Pegasus malware has been tied to following events:
The textbook definition of Spyware is, “software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.”
Apart from Pegasus, other spyware have been discovered over the last few years. For example, in 2019, Vice reported that an Italy-based development company operating under the title, eSurv, had staged an Android-based malware called “Exodus.” Exodus was discovered by researchers at securitywithoutborders.org, when they found it spying on behalf of the Italian government. The Exodus spyware was uploaded as a legitimate application on Google Playstore and was made available for users to download. Upon analysis, it was observed the malware operated in multiple stages and executed successfully on victims’ devices.
NSO Group claims vetting of its clients to ensure good Human Rights records before onboarding them, which points to a semblance of regulation in deployment and identification of targets.Â
Note: Pegasus is not a generic malware that targets mass populations.
The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:
Pegasus has the following features:
Most of the high profile compromises have been carried out by sending a malicious link to the target victim. And when the target opens the link the Pegasus malware payload gets downloaded and installed on the endpoint.
An agent is a software component (malware) deployed through covert means on the target device to initiate the surveillance and data collection. The agent code is written based on the architecture specifics of the target endpoint.Â
Supported installation vectors require only the phone number/ email used by the target to successfully install the agent. Documented supported installation vectors include:
The installation vectors used to install the agent when phone number/ email is not available but the target is in close proximity, include:
After installing the agent successfully on the target device, data from multiple sources are collected. The types of collected data include:
The following data is collected from the device and sent back to the Command and Control server:
After initial data capture, the agent keeps monitoring for new data records such as:
At any given time the malware operator can send a request to the infected device to get the collected data and perform real-time actions on the target device. This data includes:
Based on prior campaigns, Pegasus is known to use exploit chains to deploy the surveillance agent on the mobile device.
Once the agent is successfully installed on the system, it works closely with the kernel to spy on various applications installed on the device. This is implemented via hooks, as hooks are software components to intercept various system calls to the kernel thus compromising application data sent to kernel for processing.Â
Pegasus has a self destruction mechanism to wipe out evidence from the compromised system. This includes killing processes related to the agent running the system and clearing modules or libraries used for implementing monitoring activities on the mobile device.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Collection
Command and Control
Exfiltration
Impact
Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaignÂ
mongo77usr.urlredirect.net |
str1089.mailappzone.com |
apiweb248.theappanalytics.com |
dist564.htmlstats.net |
css235gr.apigraphs.net |
nodesj44s.unusualneighbor.com |
jsonapi2.linksnew.info |
img9fo658tlsuh.securisurf.com |
pc25f01dw.loading-url.net |
dbm4kl5d3faqlk6.healthyguess.com |
img359axw1z.reload-url.net |
css2307.cssgraphics.net |
info2638dg43.newip-info.com |
img87xp8m.catbrushcable.com |
img108jkn42.av-scanner.com |
mongom5sxk8fr6.extractsight.com |
img776cg3.webprotector.co |
tv54d2ml1.topadblocker.net |
drp2j4sdi.safecrusade.com |
api1r3f4.redirectweburl.com |
pc41g20bm.redirectconnection.net |
jsj8sd9nf.randomlane.net |
php78mp9v.opposedarrangement.net |
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Everything You Need to Know about the Pegasus Spyware
On 18 July 2021, The Pegasus Project (a collaboration between journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International) reported that they obtained over 50,000 phone numbers of potential targets of the clients of the NSO group, an Israeli Technology firm. The list includes journalists, activists, academics, lawyers, politicians/ government officials, businessmen, doctors, prosecutors and friends and relatives of apparent people of interest for NSO clients.Â
Based in Herzliya, near Tel Aviv, Israel, the NSO group is a private Israeli cyberweapons firm that was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and reported a 2020 EBITDA of USD 99 million which accounted for nearly 40% of their revenue.
Pegasus is a military grade spyware developed by the NSO group with the purported intention of assisting nation states and law enforcement to prevent and investigate terrorism, crime, and maintain public safety.
The initial access attack surface available to deploy Pegasus in any victim device is as wide as the device vulnerability exposure, including applications used, permissions granted, and hardware. Pegasus operators have the capability to target a wide range of hardware and application vulnerabilities across multiple OS (Operating Systems) to deploy it, including both Android and iOS devices. The prevention and mitigation would entail a high degree of cyber hygiene, awareness, and operational security.
Allegations of misuse of Pegasus have been raised since 2016, when spear phishing was used as an attack vector to deploy Pegasus. In 2019, Facebook sued the NSO group alleging that Whatsapp servers were used to deploy Pegasus on 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials, and other parties by exploiting a zero-day. The lawsuit claimed that the malware was unable to break the Facebook-owned encryption, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.
Historically, the Pegasus malware has been tied to following events:
The textbook definition of Spyware is, “software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.”
Apart from Pegasus, other spyware have been discovered over the last few years. For example, in 2019, Vice reported that an Italy-based development company operating under the title, eSurv, had staged an Android-based malware called “Exodus.” Exodus was discovered by researchers at securitywithoutborders.org, when they found it spying on behalf of the Italian government. The Exodus spyware was uploaded as a legitimate application on Google Playstore and was made available for users to download. Upon analysis, it was observed the malware operated in multiple stages and executed successfully on victims’ devices.
NSO Group claims vetting of its clients to ensure good Human Rights records before onboarding them, which points to a semblance of regulation in deployment and identification of targets.Â
Note: Pegasus is not a generic malware that targets mass populations.
The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:
Pegasus has the following features:
Most of the high profile compromises have been carried out by sending a malicious link to the target victim. And when the target opens the link the Pegasus malware payload gets downloaded and installed on the endpoint.
An agent is a software component (malware) deployed through covert means on the target device to initiate the surveillance and data collection. The agent code is written based on the architecture specifics of the target endpoint.Â
Supported installation vectors require only the phone number/ email used by the target to successfully install the agent. Documented supported installation vectors include:
The installation vectors used to install the agent when phone number/ email is not available but the target is in close proximity, include:
After installing the agent successfully on the target device, data from multiple sources are collected. The types of collected data include:
The following data is collected from the device and sent back to the Command and Control server:
After initial data capture, the agent keeps monitoring for new data records such as:
At any given time the malware operator can send a request to the infected device to get the collected data and perform real-time actions on the target device. This data includes:
Based on prior campaigns, Pegasus is known to use exploit chains to deploy the surveillance agent on the mobile device.
Once the agent is successfully installed on the system, it works closely with the kernel to spy on various applications installed on the device. This is implemented via hooks, as hooks are software components to intercept various system calls to the kernel thus compromising application data sent to kernel for processing.Â
Pegasus has a self destruction mechanism to wipe out evidence from the compromised system. This includes killing processes related to the agent running the system and clearing modules or libraries used for implementing monitoring activities on the mobile device.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Collection
Command and Control
Exfiltration
Impact
Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaignÂ
mongo77usr.urlredirect.net |
str1089.mailappzone.com |
apiweb248.theappanalytics.com |
dist564.htmlstats.net |
css235gr.apigraphs.net |
nodesj44s.unusualneighbor.com |
jsonapi2.linksnew.info |
img9fo658tlsuh.securisurf.com |
pc25f01dw.loading-url.net |
dbm4kl5d3faqlk6.healthyguess.com |
img359axw1z.reload-url.net |
css2307.cssgraphics.net |
info2638dg43.newip-info.com |
img87xp8m.catbrushcable.com |
img108jkn42.av-scanner.com |
mongom5sxk8fr6.extractsight.com |
img776cg3.webprotector.co |
tv54d2ml1.topadblocker.net |
drp2j4sdi.safecrusade.com |
api1r3f4.redirectweburl.com |
pc41g20bm.redirectconnection.net |
jsj8sd9nf.randomlane.net |
php78mp9v.opposedarrangement.net |