cyble-Pegasus-spyware-dr-swamy

Israeli Spyware Pegasus Spying on Journalists and Activists

Pegasus spyware, developed by the Israeli company NSO Group, was employed in a number of attempted as well as successful hacks of several smartphones and personal computers belonging to journalists, activists, and business executives worldwide, according to an investigation by the Washington Post and its other consortium members under Project Pegasus. 
The most affected countries are: 

  • Mexico 
  • Azerbaijan 
  • Kazakhstan 
  • Hungary 
  • India 
  • United Arab Emirates 
  • Saudi Arabia 
  • Bahrain 
  • Morocco 
  • Rwanda 
  • Togo 

On July 18, 2021, Subramanian Swamy, a member of the Parliament of India, tweeted about rumors associated with two newspapers publishing a report to expose the hiring of an Israeli firm for spying activities.  

Figure 1 Tweet by Subramanian Swamy 

Pegasus is a spyware developed by the Israeli cyberarms firm NSO Group. It can be covertly installed on mobile phones and other devices. Pegasus is an advanced spyware used to infiltrate phones using 0-day exploits present in any commonly used social media applications or by tricking users into installing the malware through targeted phishing attacks. 

Below is the description of Pegasus from the NSO group (source: leaked documentation of the NSO group).

Pegasus Features as Published in NSO Group Advisory
Pegasus Malware High-Level Architecture

The spyware has allegedly been used for tapping into the phones of Cabinet Ministers from the Government of India, Leaders of the Rashtriya Swayamsevak Sangh (RSS), Judges of the Supreme Court of India, and journalists. 

In the past, on several occasions, Pegasus was being used to spy on Indian government officials. In 2019, Facebook told a California court that the Pegasus software was used to hack into the phones of at least 121 Indian citizens. In the same year, the spyware also exploited a vulnerability on WhatsApp to carry out a remote surveillance attack for infiltrating the phones of 1400 individuals globally, Including lawyers, activists, etc. 

Pegasus Initial Vector 

The threat actor shares the URL to the victim via messaging apps like WhatsApp. Once the user clicks on the URL, they are redirected to the exploit landing page for delivering of the additional payload. After successful exploitation, it installs the spyware on the victim’s mobile. Earlier, Pegasus was known to target iOS devices, and researchers later confirmed that the threat actors have been using Pegasus to target Android devices. 

Pegasus Installation, Source: NSO Group Leaked Documents
Pegasus Malware Agent Installation, Source: NSO Group Leaked Documents
Pegasus Malware Installation Flow, Source: NSO Group Leaked Documents

Capabilities of Pegasus 

The image below showcases the installation methods and capabilities of Pegasus.  

Figure 2 Installation Techniques and Capabilities of Pegasus 

The capabilities include exploiting the web browser, remotely jailbreaking the iOS using kernel exploits, and bypassing security mechanisms like Kernel address space layout randomization (KASLR). 

Pegasus Malware Data Collection, Source: NSO Group Leaked Documents

Earlier in 2016, the malware has used the 3 CVE’s, also known as Trident, for targeting the iOS devices. These are: 

  • CVE-2016-4657 – Used for the initial shellcode execution and launched by the web-based Exploit Kit (EK). 
  • CVE-2016-4655 – An exploit used to bypass KASLR to get the Kernel base address. 
  • CVE-2016-4656 – Using this exploit, threat actors can jailbreak the device and perform software installation. 

After installation of the malware provides complete access to the device. The capabilities of malware range from call recording to accessing device settings. 

The following table depicts few of malware capabilities. 

Capabilities 
Call Recording 
Email and SMS  
Browser History 
File retrieval 
Device Settings 

Table 1 Malware capabilities 

Pegasus Malware Collection Capabilities: Source, NSO Group Leaked Documents
Source: NSO Group Leaked Documents
Source: NSO Group Leaked Documents
Source: NSO Group Leaked Documents
Source: NSO Group Leaked Documents

On July 15, 2021, the Washington Post released an article about a private Israeli firm that has been helping governments to hack into phones of journalists and human rights advocates. Similar to the NSO Group, many other Israeli agencies are involved in such activities, wherein they sell such sophisticated malware/spyware to governments. Recently, a private agency firm, Candiru was found selling spyware, as confirmed by Citizen Lab. The malware called DevilsTongue, and created by Candiru, had been used for targeting windows machines.   

The kill chains of the malware created by the NSO Group and Candiru have many similarities. For instance, both use browser-based exploits to deliver payload, which makes us speculate that the spyware are interconnected. 

The high-level analysis of the DevilsTongue malware is shown below. As per the Microsoft Threat Intelligence Center (MSTIC), the threat actor used two windows 0-day exploits, such as CVE-2021-31979 and CVE-2021-33771 for targeting users. The exploits were chained so that they could escape browser sandbox and gain kernel code execution. Using this chain, the threat actor was able to install the DevilsTongue malware on the victim machine. 

As per the Microsoft analysis, the DevilsTongue is a complex modular multi-threaded piece of malware written using C and C++ language. It is appropriately stripped so that all PDB file symbols are removed, and strings/configuration data are encrypted. The malware functionalities are encrypted when it’s on disk, and it decrypts its functionality in the memory. Also, the malware can access both Operating System (OS) modes, ie. kernel and user modes, which makes it a highly sophisticated malware. 

Initially, the malware uses the COM Hijacking technique by overwriting the legitimate-DLL path with the Malware first stager DLL path to achieve persistence in the victim OS. The first stage DLL is loaded into the system process “svchost.exe” to run it with SYSTEM privilege, and the first stage payload is loaded using COM Hijacking. This leads to a breaking of the legitimate functionality. Interestingly, the malware uses a series of techniques to load both the legitimate-DLL and malware-DLL. After this, the malware decrypts other stager modules encrypted in “.dat” files. These stagers have capabilities like file collection, registry query, credential dumping from the LSASS process and browsers, and cookies stealing, among others. 

The DevilsTongue malware is also known to be using a legitimate signed driver file for malicious purposes. The driver file belongs to the “Physical Memory Viewer” tool provided by Hilscher, as shown in the figure below.  

Figure 3 Physical Memory Viewer Tools provided by Hilscher 

As per our investigation, the Physical Memory Viewer Tools by Hilscher and the IoC shared by Microsoft have the same hash, as highlighted below. 

Figure 4 Hashes of legitimate x64 physmem.sys file. 

The use of this driver is to proxy specific API calls via the kernel for evading detection.  

The following table showcases the malware artifacts on the victim’s machine  

Path 
C:\Windows\system32\drivers\physmem.sys  
C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat 
C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat 
C:\Windows\system32\config\config\startwus.dat 

Table 2 Malware artefacts 

MSTIC has not provided any malware hashes because, except for the third-party drivers, DevilsTongue files have unique hashes, and hence are not a useful IoC.  

Based on the behavior of the Pegasus and DevilsTongue malware, we may speculate that both the malware are interconnected. However, there’s not enough evidence to support this, and the Cyble Research team is continuously monitoring the activities of the malware and will keep updating this space for more information. 

Our Recommendations 

We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:  

  • Apply patches for CVE-2021-31979 and CVE-2021-33771 provided by Microsoft. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.     
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.       
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  
  • Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1203 Exploitation for Client Execution 
Persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 
Privilege Escalation T1574 Hijack Execution Flow 
Defense Evasion T1574 T1574 T1055 Hijack Execution Flow Masquerading Process Injection 
Credential Access T1555 T1003.001 T1539 Credentials from Password Stores OS Credential Dumping: LSASS Memory Steal Web Session Cookie 
Exfiltration T1041 Exfiltration Over C2 Channel 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d  Hash (Non-malious) SHA-256 of physmem.sys (x64) 
7841fe621eb9bf443e19bb88c5df1d9ea14feed829d18e84258380dc462816fd Hash SHA-256 of CVE-2021-33771 
63a3c1b2e1ca65bf71322b84305f612bc625ac40eff667f56655022d05cf0be0 Hash SHA-256 of CVE-2021-31979 
bf4bedf2722525ae269db0d661d38010671144dec9dc38471f77915dcfb6772d Hash SHA-256 of CVE-2021-31979 
fc869c9853eef46976ecc03bf109f409bf391413862637dec98951df1c8c8b7d Hash SHA-256 of CVE-2021-33771 

Yara Rules:  

import "pe" 

rule DevilsTongue_HijackDll 

{ 

meta: 

description = "Detects SOURGUM's DevilsTongue hijack DLL" 

author = "Microsoft Threat Intelligence Center (MSTIC)" 

date = "2021-07-15" 

strings: 

$str1 = "windows.old\\windows" wide 

$str2 = "NtQueryInformationThread" 

$str3 = "dbgHelp.dll" wide 

$str4 = "StackWalk64" 

$str5 = "ConvertSidToStringSidW" 

$str6 = "S-1-5-18" wide 

$str7 = "SMNew.dll" // DLL original name 

// Call check in stack manipulation 

// B8 FF 15 00 00   mov     eax, 15FFh 

// 66 39 41 FA      cmp     [rcx-6], ax 

// 74 06            jz      short loc_1800042B9 

// 80 79 FB E8      cmp     byte ptr [rcx-5], 0E8h ; 'è' 

$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8} 

// PRNG to generate number of times to sleep 1s before exiting 

// 44 8B C0 mov r8d, eax 

// B8 B5 81 4E 1B mov eax, 1B4E81B5h 

// 41 F7 E8 imul r8d 

// C1 FA 05 sar edx, 5 

// 8B CA    mov ecx, edx 

// C1 E9 1F shr ecx, 1Fh 

// 03 D1    add edx, ecx 

// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch 

// 44 2B C1 sub r8d, ecx 

// 45 85 C0 test r8d, r8d 

// 7E 19    jle  short loc_1800014D0 

$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19} 

condition: 

filesize < 800KB and 

uint16(0) == 0x5A4D and 

(pe.characteristics & pe.DLL) and 

( 

4 of them or 

($code1 and $code2) or 

(pe.imphash() == "9a964e810949704ff7b4a393d9adda60") 

) 

} 

About Us   

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.    

%d bloggers like this: