Malware Intelligence
mins read

Everything You Need to Know about the Pegasus Spyware

Everything You Need to Know about the Pegasus Spyware

July 20, 2021
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization

Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets

Schedule a Demo
Table of Contents
Author(s)
No items found.

What happened?

On 18 July 2021, The Pegasus Project (a collaboration between journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International) reported that they obtained over 50,000 phone numbers of potential targets of the clients of the NSO group, an Israeli Technology firm. The list includes journalists, activists, academics, lawyers, politicians/ government officials, businessmen, doctors, prosecutors and friends and relatives of apparent people of interest for NSO clients. 

Source- https://twitter.com/amnesty

The NSO Group

Based in Herzliya, near Tel Aviv, Israel, the NSO group is a private Israeli cyberweapons firm that was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and reported a 2020 EBITDA of USD 99 million which accounted for nearly 40% of their revenue.

What is Pegasus?

Pegasus is a military grade spyware developed by the NSO group with the purported intention of assisting nation states and law enforcement to prevent and investigate terrorism, crime, and maintain public safety.

The initial access attack surface available to deploy Pegasus in any victim device is as wide as the device vulnerability exposure, including applications used, permissions granted, and hardware. Pegasus operators have the capability to target a wide range of hardware and application vulnerabilities across multiple OS (Operating Systems) to deploy it, including both Android and iOS devices. The prevention and mitigation would entail a high degree of cyber hygiene, awareness, and operational security.

Allegations of misuse of Pegasus have been raised since 2016, when spear phishing was used as an attack vector to deploy Pegasus. In 2019, Facebook sued the NSO group alleging that Whatsapp servers were used to deploy Pegasus on 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials, and other parties by exploiting a zero-day. The lawsuit claimed that the malware was unable to break the Facebook-owned encryption, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.

Known Clients of NSO using Pegasus
  • Azerbaijan
  • Bahrain
  • Hungary
  • India
  • Kazakhstan
  • Mexico
  • Morocco
  • Rwanda
  • Saudi Arabia
  • Togo
  • United Arab Emirates (UAE)
Past Events attributed to the NSO Group

Historically, the Pegasus malware has been tied to following events:

Is Pegasus the only Spyware Around?

The textbook definition of Spyware is, “software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.”

Apart from Pegasus, other spyware have been discovered over the last few years. For example, in 2019, Vice reported that an Italy-based development company operating under the title, eSurv, had staged an Android-based malware called “Exodus.” Exodus was discovered by researchers at securitywithoutborders.org, when they found it spying on behalf of the Italian government. The Exodus spyware was uploaded as a legitimate application on Google Playstore and was made available for users to download. Upon analysis, it was observed the malware operated in multiple stages and executed successfully on victims’ devices.

NSO Group claims vetting of its clients to ensure good Human Rights records before onboarding them, which points to a semblance of regulation in deployment and identification of targets. 

Impact

  • Has the capability to target both android and ios devices
  • Pegasus spyware is capable of 
    • reading text messages
    • tracking calls
    • collecting passwords
    • tracking location
    • accessing the target device’s microphone and camera
    • harvesting information from apps
  • Expose sensitive information of the user

Mitigation

  • Install system and application updates, specifically browser updates.
  • Do not click on suspicious links in the SMS/Emails.
  • Last resort should be reflashing the mobile device.

Note: Pegasus is not a generic malware that targets mass populations.

Technical Analysis of Pegasus

The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:

  • Android
  • iOS
  • Blackberry
  • Symbian based devices
Capabilities

Pegasus has the following features:

  • Extraction of contacts, emails, photos, files, locations, passwords, processes, intercepts calls and messages.
  • Self destruction mechanism to neutralize the application running on target devices to ensure there is no evidence. 
Infection Vector

Most of the high profile compromises have been carried out by sending a malicious link to the target victim. And when the target opens the link the Pegasus malware payload gets downloaded and installed on the endpoint.

Agent

An agent is a software component (malware) deployed through covert means on the target device to initiate the surveillance and data collection. The agent code is written based on the architecture specifics of the target endpoint. 

Agent Installation 

Supported installation vectors require only the phone number/ email used by the target to successfully install the agent. Documented supported installation vectors include:

  • Over-the-Air (OTA): In this method of installation, a push message/ notification is sent to the target mobile device. The message triggers the device to download and install the agent on the device covertly. User interaction, such as clicking a link or opening a message, is not required in this process. 
  • Enhanced Social Engineering Message (ESEM): In this method of installation, the Pegasus operator sends a malicious mail or SMS to the target victim. And when the link is opened the agent gets downloaded and installed on the target endpoint.

The installation vectors used to install the agent when phone number/ email is not available but the target is in close proximity, include:

  • Tactical Network Element Installation: In the tactical installation method the target’s phone number is acquired using Base Transceiver Station (BTS). And using the phone number, the agent is installed on the target device. Taking position in the vicinity of the target is, in most cases, sufficient to accomplish the phone number acquisition, and the installation is done remotely.
  • Physical Installation: In this method of installation, an operator who has physical access to the device drops the agent onto the target device.
Collecting Data

After installing the agent successfully on the target device, data from multiple sources are collected. The types of collected data include:

  • Textual data like SMS, Email, Call History etc. 
  • Visual data including Photos and Screenshots
  • Audio data like audio records
  • Files including documents and the like
  • Real-time monitoring of the device location
Initial Data Extraction

The following data is collected from the device and sent back to the Command and Control server:

  • SMS Records
  • Contacts details
  • Call history 
  • Calendar records
  • Emails
  • Instant Messaging
  • Browsing history
Passive Monitoring

After initial data capture, the agent keeps monitoring for new  data records such as:

  • SMS records
  • Contacts details
  • Call history (call log)
  • Calendar records
  • Emails 
  • Instant Messaging
  • Browsing history
  • Location tracking (Cell-ID based)
Active Collection

At any given time the malware operator can send a request to the infected device to get the collected data and perform real-time actions on the target device. This data includes:

  • Location tracking (GPS based)
  • Voice call interception
  • File retrieval
  • Environmental sound recording (microphone recording)
  • Photo taking
  • Screen capturing

Pegasus Tactics, Techniques, and Procedures

Based on prior campaigns, Pegasus is known to use exploit chains to deploy the surveillance agent on the mobile device.

  • Phase 0x1 (Malicious link and Initial Exploitation): ESEM method of deployment results in a malicious link that an operator can send out to the victim. And when the link is opened, it exploits a browser vulnerability to gain access to the system.
  • Phase 0x2 (JailBreaking and agent deployment): After gaining access to the system, kernel level exploits are used to gain complete control over the device (jailbreaking). Once kernel level access is obtained, the final payload that contains the surveillance modules is deployed via kernel level persistence. The agent then installs “application hooks” on the jailbroken devices. Such hooks enable the agent to spy on various applications installed on the device.
  • Phase 0x3: In this phase the agent downloads libraries used for doing malicious activities onto the system, these libraries implement sniffing and monitoring of various applications like WhatsApp, Viber etc. These modules also support call and camera recording
Monitoring via Interception 

Once the agent is successfully installed on the system, it works closely with the kernel to spy on various applications installed on the device. This is implemented via hooks, as hooks are software components to intercept various system calls to the kernel thus compromising application data sent to kernel for processing. 

Self Destruction Mechanism

Pegasus has a self destruction mechanism to wipe out evidence from the compromised system. This includes killing processes related to the agent running the system and clearing modules or libraries used  for implementing monitoring activities on the mobile device.

MITRE ATT&CK TTPs

Initial Access

  • T1475: Deliver Malicious App via Authorized App Store

Execution

  • T1402: Broadcast Receivers

Persistence

  • T1402: Broadcast Receivers
  • T1400: Modify System Partition

Privilege Escalation

  • T1404: Exploit OS Vulnerability

Defense Evasion

  • T1418: Application Discovery
  • T1400: Modify System Partition

Credential Access

  • T1409: Access Stored Application Data

Discovery

  • T1418: Application Discovery
  • T1422: System Network Configuration Discovery

Collection

  • T1435: Access Calendar Entries
  • T1433: Access Call Log
  • T1432: Access Contact List
  • T1409: Access Stored Application Data
  • T1429: Capture Audio
  • T1512: Capture Camera

Command and Control

  • T1438: Alternate Network Mediums

Exfiltration

  • T1438: Alternate Network Mediums

Impact

  • T1400: Modify System Partition
Indicators of Compromise

Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaign 

mongo77usr.urlredirect.net
str1089.mailappzone.com
apiweb248.theappanalytics.com
dist564.htmlstats.net
css235gr.apigraphs.net
nodesj44s.unusualneighbor.com
jsonapi2.linksnew.info
img9fo658tlsuh.securisurf.com
pc25f01dw.loading-url.net
dbm4kl5d3faqlk6.healthyguess.com
img359axw1z.reload-url.net
css2307.cssgraphics.net
info2638dg43.newip-info.com
img87xp8m.catbrushcable.com
img108jkn42.av-scanner.com
mongom5sxk8fr6.extractsight.com
img776cg3.webprotector.co
tv54d2ml1.topadblocker.net
drp2j4sdi.safecrusade.com
api1r3f4.redirectweburl.com
pc41g20bm.redirectconnection.net
jsj8sd9nf.randomlane.net
php78mp9v.opposedarrangement.net
References
  • https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab 
  • https://research.checkpoint.com/2019/the-nso-whatsapp-vulnerability-this-is-how-it-happened/ 
  • https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html
  • https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html
  • https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption
  • https://otx.alienvault.com/pulse/60f68942fafbc9a0287b9978

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

Everything You Need to Know about the Pegasus Spyware

Everything You Need to Know about the Pegasus Spyware

Authors
Co-Authors
No items found.

What happened?

On 18 July 2021, The Pegasus Project (a collaboration between journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International) reported that they obtained over 50,000 phone numbers of potential targets of the clients of the NSO group, an Israeli Technology firm. The list includes journalists, activists, academics, lawyers, politicians/ government officials, businessmen, doctors, prosecutors and friends and relatives of apparent people of interest for NSO clients. 

Source- https://twitter.com/amnesty

The NSO Group

Based in Herzliya, near Tel Aviv, Israel, the NSO group is a private Israeli cyberweapons firm that was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and reported a 2020 EBITDA of USD 99 million which accounted for nearly 40% of their revenue.

What is Pegasus?

Pegasus is a military grade spyware developed by the NSO group with the purported intention of assisting nation states and law enforcement to prevent and investigate terrorism, crime, and maintain public safety.

The initial access attack surface available to deploy Pegasus in any victim device is as wide as the device vulnerability exposure, including applications used, permissions granted, and hardware. Pegasus operators have the capability to target a wide range of hardware and application vulnerabilities across multiple OS (Operating Systems) to deploy it, including both Android and iOS devices. The prevention and mitigation would entail a high degree of cyber hygiene, awareness, and operational security.

Allegations of misuse of Pegasus have been raised since 2016, when spear phishing was used as an attack vector to deploy Pegasus. In 2019, Facebook sued the NSO group alleging that Whatsapp servers were used to deploy Pegasus on 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials, and other parties by exploiting a zero-day. The lawsuit claimed that the malware was unable to break the Facebook-owned encryption, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.

Known Clients of NSO using Pegasus
  • Azerbaijan
  • Bahrain
  • Hungary
  • India
  • Kazakhstan
  • Mexico
  • Morocco
  • Rwanda
  • Saudi Arabia
  • Togo
  • United Arab Emirates (UAE)
Past Events attributed to the NSO Group

Historically, the Pegasus malware has been tied to following events:

Is Pegasus the only Spyware Around?

The textbook definition of Spyware is, “software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.”

Apart from Pegasus, other spyware have been discovered over the last few years. For example, in 2019, Vice reported that an Italy-based development company operating under the title, eSurv, had staged an Android-based malware called “Exodus.” Exodus was discovered by researchers at securitywithoutborders.org, when they found it spying on behalf of the Italian government. The Exodus spyware was uploaded as a legitimate application on Google Playstore and was made available for users to download. Upon analysis, it was observed the malware operated in multiple stages and executed successfully on victims’ devices.

NSO Group claims vetting of its clients to ensure good Human Rights records before onboarding them, which points to a semblance of regulation in deployment and identification of targets. 

Impact

  • Has the capability to target both android and ios devices
  • Pegasus spyware is capable of 
    • reading text messages
    • tracking calls
    • collecting passwords
    • tracking location
    • accessing the target device’s microphone and camera
    • harvesting information from apps
  • Expose sensitive information of the user

Mitigation

  • Install system and application updates, specifically browser updates.
  • Do not click on suspicious links in the SMS/Emails.
  • Last resort should be reflashing the mobile device.

Note: Pegasus is not a generic malware that targets mass populations.

Technical Analysis of Pegasus

The Pegasus surveillance solution offers advanced features for sophisticated intelligence gathering from the following target endpoints and devices:

  • Android
  • iOS
  • Blackberry
  • Symbian based devices
Capabilities

Pegasus has the following features:

  • Extraction of contacts, emails, photos, files, locations, passwords, processes, intercepts calls and messages.
  • Self destruction mechanism to neutralize the application running on target devices to ensure there is no evidence. 
Infection Vector

Most of the high profile compromises have been carried out by sending a malicious link to the target victim. And when the target opens the link the Pegasus malware payload gets downloaded and installed on the endpoint.

Agent

An agent is a software component (malware) deployed through covert means on the target device to initiate the surveillance and data collection. The agent code is written based on the architecture specifics of the target endpoint. 

Agent Installation 

Supported installation vectors require only the phone number/ email used by the target to successfully install the agent. Documented supported installation vectors include:

  • Over-the-Air (OTA): In this method of installation, a push message/ notification is sent to the target mobile device. The message triggers the device to download and install the agent on the device covertly. User interaction, such as clicking a link or opening a message, is not required in this process. 
  • Enhanced Social Engineering Message (ESEM): In this method of installation, the Pegasus operator sends a malicious mail or SMS to the target victim. And when the link is opened the agent gets downloaded and installed on the target endpoint.

The installation vectors used to install the agent when phone number/ email is not available but the target is in close proximity, include:

  • Tactical Network Element Installation: In the tactical installation method the target’s phone number is acquired using Base Transceiver Station (BTS). And using the phone number, the agent is installed on the target device. Taking position in the vicinity of the target is, in most cases, sufficient to accomplish the phone number acquisition, and the installation is done remotely.
  • Physical Installation: In this method of installation, an operator who has physical access to the device drops the agent onto the target device.
Collecting Data

After installing the agent successfully on the target device, data from multiple sources are collected. The types of collected data include:

  • Textual data like SMS, Email, Call History etc. 
  • Visual data including Photos and Screenshots
  • Audio data like audio records
  • Files including documents and the like
  • Real-time monitoring of the device location
Initial Data Extraction

The following data is collected from the device and sent back to the Command and Control server:

  • SMS Records
  • Contacts details
  • Call history 
  • Calendar records
  • Emails
  • Instant Messaging
  • Browsing history
Passive Monitoring

After initial data capture, the agent keeps monitoring for new  data records such as:

  • SMS records
  • Contacts details
  • Call history (call log)
  • Calendar records
  • Emails 
  • Instant Messaging
  • Browsing history
  • Location tracking (Cell-ID based)
Active Collection

At any given time the malware operator can send a request to the infected device to get the collected data and perform real-time actions on the target device. This data includes:

  • Location tracking (GPS based)
  • Voice call interception
  • File retrieval
  • Environmental sound recording (microphone recording)
  • Photo taking
  • Screen capturing

Pegasus Tactics, Techniques, and Procedures

Based on prior campaigns, Pegasus is known to use exploit chains to deploy the surveillance agent on the mobile device.

  • Phase 0x1 (Malicious link and Initial Exploitation): ESEM method of deployment results in a malicious link that an operator can send out to the victim. And when the link is opened, it exploits a browser vulnerability to gain access to the system.
  • Phase 0x2 (JailBreaking and agent deployment): After gaining access to the system, kernel level exploits are used to gain complete control over the device (jailbreaking). Once kernel level access is obtained, the final payload that contains the surveillance modules is deployed via kernel level persistence. The agent then installs “application hooks” on the jailbroken devices. Such hooks enable the agent to spy on various applications installed on the device.
  • Phase 0x3: In this phase the agent downloads libraries used for doing malicious activities onto the system, these libraries implement sniffing and monitoring of various applications like WhatsApp, Viber etc. These modules also support call and camera recording
Monitoring via Interception 

Once the agent is successfully installed on the system, it works closely with the kernel to spy on various applications installed on the device. This is implemented via hooks, as hooks are software components to intercept various system calls to the kernel thus compromising application data sent to kernel for processing. 

Self Destruction Mechanism

Pegasus has a self destruction mechanism to wipe out evidence from the compromised system. This includes killing processes related to the agent running the system and clearing modules or libraries used  for implementing monitoring activities on the mobile device.

MITRE ATT&CK TTPs

Initial Access

  • T1475: Deliver Malicious App via Authorized App Store

Execution

  • T1402: Broadcast Receivers

Persistence

  • T1402: Broadcast Receivers
  • T1400: Modify System Partition

Privilege Escalation

  • T1404: Exploit OS Vulnerability

Defense Evasion

  • T1418: Application Discovery
  • T1400: Modify System Partition

Credential Access

  • T1409: Access Stored Application Data

Discovery

  • T1418: Application Discovery
  • T1422: System Network Configuration Discovery

Collection

  • T1435: Access Calendar Entries
  • T1433: Access Call Log
  • T1432: Access Contact List
  • T1409: Access Stored Application Data
  • T1429: Capture Audio
  • T1512: Capture Camera

Command and Control

  • T1438: Alternate Network Mediums

Exfiltration

  • T1438: Alternate Network Mediums

Impact

  • T1400: Modify System Partition
Indicators of Compromise

Following domains are identified as malicious and are part of a small subset of NSO Pegasus campaign 

mongo77usr.urlredirect.net
str1089.mailappzone.com
apiweb248.theappanalytics.com
dist564.htmlstats.net
css235gr.apigraphs.net
nodesj44s.unusualneighbor.com
jsonapi2.linksnew.info
img9fo658tlsuh.securisurf.com
pc25f01dw.loading-url.net
dbm4kl5d3faqlk6.healthyguess.com
img359axw1z.reload-url.net
css2307.cssgraphics.net
info2638dg43.newip-info.com
img87xp8m.catbrushcable.com
img108jkn42.av-scanner.com
mongom5sxk8fr6.extractsight.com
img776cg3.webprotector.co
tv54d2ml1.topadblocker.net
drp2j4sdi.safecrusade.com
api1r3f4.redirectweburl.com
pc41g20bm.redirectconnection.net
jsj8sd9nf.randomlane.net
php78mp9v.opposedarrangement.net
References
  • https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab 
  • https://research.checkpoint.com/2019/the-nso-whatsapp-vulnerability-this-is-how-it-happened/ 
  • https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html
  • https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html
  • https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption
  • https://otx.alienvault.com/pulse/60f68942fafbc9a0287b9978