NSO Pegasus Malware - How Governments spy on any phone

hey everyone simon cd8 here hope you're doing really good today's video is all about pegasus malware really interesting malware campaign this and it's developed by a company who rather clandestine organization who hail from israel known as nso group gonna give you a little bit of backstory into nso how they develop pegasus what they use it for and who is targeted by this malware and then also go through some malware analysis we're going to go through some notes of caution as well about attribution and performing your own analysis and making your own kind of decisions and opinions in relation to threat intelligence that's out there and on the subject of threat intel we're going to talk about some intelligence that i've managed to gather in relation to this particular malware and potential victims around the world lots for us to get our teeth into today so let's get going so in 2016 citizens labs produced an excellent blog post which discussed several security updates released by apple to patch vulnerabilities primarily affecting safari and osx the vulnerabilities being patched were collectively known as trident because there were three of them and were reportedly used by the nso group to hack into the mobile devices of civil society group members and human rights defenders on behalf of state-sponsored spyware campaigns one such example they describe in the blog is the targeting of ahmed mansour an internationally recognised human rights defender based in the united arab emirates fast forward to 2021 forbidden stories they've released details of an unprecedented leak of more than 50 000 phone numbers which apparently were targeted by customers of nso group using pegasus malware the consortium of journalists discovered that pegasus has widely been misused since 2016 and at least 180 journalists have been the target of this malware across india mexico hungary morocco and france to name but a few other potential targets also include human rights defenders academics business people lawyers doctors union leaders politicians and also several heads of state as well the consortium even met with victims whose phone numbers appeared in this league and forensic analysis of their mobile phones was able to confirm the use of a zero day zero click exploit which we'll get to in a little bit more detail it's called megalodon and that enabled the operators to gain initial access to the victim's device which was used as the vehicle to implant the pegasus malware in this video i want to talk about some of the pegasus malware analysis that i've undertaken from android samples obtained and also share some threat intelligence insights from a rather unique position i found myself in recently let's first start by talking about trident and megalodon real quick there's an infamous saying in the world of malware analysis that malware can hide but it must run and indeed before malware can actually run it must actually infect a victim device in the first place and trident megalodon are examples of very sophisticated methods that the nso group have used to infiltrate almost any mobile phone on the planet now trident is a trio of vulnerabilities which i said earlier which when chained together will allow for the complete compromise of an apple device due to a flaw in webkit and webkit is the web browser engine which is used by safari mail and many other apple apps now cve 2016 4657 is particularly fascinating because simply visiting a web page can lead to code execution on your device there's actually now even a metasploit module available that will generate this exploit for you and this puts what was once a military grade zero day in the hands of everyday hackers like you and me let's talk about megalodon this is serious business amnesty international as i said earlier believed that pegasus was being delivered through this zero click exploit and this is significant trident was a one-click exploit it relied on the user clicking a link visiting a web page so it would rely on user input or user action megalodon is zero click and does not rely on any interaction from the user itself and so any iphone can be remotely compromised just if you know the mobile phone number which is pretty amazing so megalodon appears to be a zero day which affects imessage as amnesty's forensic analysis of the infected devices that they've performed shows that there is a lookup of a suspicious imessage account someone is unknown to the victim which is performed and then immediately followed by a http request which is carried out by a core telephony process which runs on the device so what this means is there is an imessage which is sent from an attacker to the victim and that's all that needs to take place in order to infect the device the user doesn't need to read the message click a link user doesn't need to open anything receiving that message means that there is subsequently a http request performed by the phone and the analysis that amnesty

have performed on that request they found some traces of metadata in a cache file stored on the device and they could see that the phone sent some information to an amazon cloudfront cdn which is controlled by the nso group and the response of that http request was approximately 250 kilobytes of encrypted data which they consider to be the pegasus malware all right so let's get down to business and talk about some malware analysis then so samples of pegasus they're pretty difficult to come by for obvious reasons also as well i want to just call out that we as malware analysts in this community really should kind of be a little cautious about the attribution that other people give to malware samples if we're looking for specific samples from a particular family then by all means go and get that data from the various available sources but really make your own judgments as to whether or not you think that malware is actually the right family based on what you expect it to be and we'll see why i'm kind of calling this out in just a second but finding our samples like this pretty tricky i'm yet to find a pegasus sample from an ios device and the only samples or snippets that appear on the internet are those really the target android and are usually a few years old as well and av vendors do have signatures for this family of malware as well so take for example this particular android variant has detection from 18 vendors most of which put it firmly in the pegasus bucket we'll come back to this sample shortly but vx underground who brand themselves as the largest collection of malware source code samples and papers on the internet claim to have collected samples of pegasus and are currently hosting them on their site for analysis and in fact they sent a tweet out at the time and over a thousand people liked this tweet and no doubt many of those people blindly accepted the attribution that all of the samples that they were referencing were in fact pegasus malware i personally am a little less trustworthy this is not a flex on vx underground they do an amazing job in the community but just from my point of view don't necessarily trust that what they're saying is pegasus do your own analysis make your own decisions so let's dive in here so these are the samples that vx underground have shared and you can see we've got five files here and if we have a look at the file types of each of those we can see we've got some java files and android binary xml files and a couple of zips as well okay so first off we're going to take a look at this file 144-7787 which appears actually on joe's sandbox if you google the hash of the file it appears in the public repo so sandbox with the name of com. lenovo. safecenter. apk so it's an android package file as we would expect but it's tagged as pegasus and whilst it looks like malware to me this looks like lenovo's own kind of system tracking code which i guess is basically spyware but i don't really think this smells like pegasus to me now what we're going to do is just have a look at using android sdk's apk analyzer tool just to pass some details of the apk itself now for me the apk analyzer tool lives in this default location library android sdk tools bin apk analyzer i have the android sdk installed on my mac here for you it may be slightly different if you're using windows or installed in a different location now the apk analyzer tool is very feature rich if we run the dash h we get a lot of different options we can use here to analyze and pass an apk now one of the ones i encourage you to explore is apk features so let's do that and we can see the features of this particular file itself and also another one which is useful as well is the files list and then that will list all of the files that are within this particular apk which is effectively just a zip file so you can browse through these and you can get a feel for the naming of the files or the structure of the apk itself and that will give you a kind of view on where to go next and where to perform your analysis one of the other things you might be interested in is manifest prints and that will obviously print the manifest that's associated with this apk and that gives you some additional metadata that you want to go and explore anyway i sideloaded this apk onto a virtual android device and that resulted in an app which looks like this and really to me pegasus malware is a little bit more stealthy would it have an app with a gui would it have all of this stuff on here in the manifest and things like that as well it just smells to me like this is kind of bloatware tracking stuff that you get when you buy a lenovo phone so not necessarily pegasus for me okay so let's have a look at this next file that starts 530v4 let's just remind ourselves of the type this is an android binary xml file i've no idea what this file type is i'm not somebody who develops android applications i've no real idea how to pass this file if we have a look at the hash on virustotal we can see there are signs of this being linked to pegasus given what many reputable av companies tagged the malware family as but i guess i'll remain open-minded what we can do though in terms of our analysis because i don't really know how to pass this file is we

could cut the file out of course on the terminal we can see that we've got all sorts of weird and wonderful stuff but we've got all of these strings in the file as well which look like some kind of manifest and so what we could do if you wanted to if you run strings on my mac here on the file i don't get any output and i assume it's because of the format of the strings that are in the file being passed by this particular strings application that's native to a mac so if you flip over to windows for example if you use strings as part of the cis internal suite by mark racinovich if you run that you can get those strings and you can go through them and this looks like the output of a kind of manifest with the various permissions again i don't really know what to do with this file if it is just a manifest file given the size of the file itself and the content if you looked at it in a hexadecimal doesn't look to be much going on maybe it's related to pegasus maybe it's a snippet from pegasus maybe it's some kind of manifest but i don't really know what else to do with it so i guess we will move onwards okay so next up let's take a look at this file let's start cc 951 what we want to do is just remind ourselves of the file type we can see that this is showing us a java file it's actually an apk file if we have a look at the hash of the file on virustotal we can see a submitted name for the package was binary sms receiver base. apk and that kind of gives you a good indication of what this particular application was designed to do i ran this apk through a tool called apk tool if you use the d parameter and pass it the name of the file it'll actually analyze and pass this file for you and so you then end up with a directory that you can cd into and you can see the manifest and all of these smally files and also any resources as well now the bottom line is here i didn't really see anything worth spending too much time on i side loaded the app onto an android virtual device this yields an app interface which is all about binary sms monitoring and sending and receiving and doesn't really lend itself to a stealthy nation state level backdoor and my suspicion here is that this application is used for the purposes of analyzing and manipulating binary sms's and no doubt pegasus does some of that too but maybe this app just shows some signatures of pegasus and therefore is probably not a sample that we're interested in okay let's take a look at this next file and it starts with d257 and so let's just remind ourselves here that this looks like a zip archive it's actually an apk file and if we have a look on virustotal we can see that there's less attribution to pegasus from the various av vendors here but there are still some community comments which suggest a link to this particular malware family it could be that this apk is more generic and not specific to pegasus and you can get a feel from the manifest file itself that the actual permissions required and the general flow of activity so if we wanted to we could use our trusty apk analyzer to do just that so we could use the manifest print and then feed it the file name and then we can see all of the intents and the permissions etc and also as well the package name in this case com. xx gameassistant. pao whatever that means so okay interesting stuff i don't see a massive amount of permissions here and so whether this is a fully fledged pegasus sample well i'm kind of losing confidence in that and so what we can do is use our apk tool again so let's do apk tool d on this particular sample and again that will pass the apk for us it will produce a folder we can a cd into and then that will give us all of the various files of interest and manifest and also the libraries and the resources etc in this case if we have a look in the assets folder we can see there is a couple of binaries here one is called inject that's pretty interesting if we run file on inject we can see that this is an elf and also that the debugging info is not stripped so what we can do is use something like ghidra which is great tool for disassembling this kind of binary so i'll flip over to my windows machine here i've got ghidra installed we can then run ghidra have a look at inject this will load up we want to analyze it of course we do leave it the default settings and then what we can then do is navigate to the main function and we can see the decompile view here on the right hand side we can see that we've got a call to inject process well that's nice and easy to interpret what this function is designed to do and if we go into that inject process we can see all of the kind of stuff that you would naturally associate with injecting shell code or binary into another process now if you were to google some of these strings you would actually find that this is a fairly generic android process injection library out on github this is nothing native to pegasus so i'm going to come back to the conclusion that this is not a specific pegasus android sample maybe there are signatures within this particular binary of being related to pegasus who knows and side loading the application again onto an android virtual device shows that there is a gui application it's not particularly stealthy to have a gui with all of this kind of stuff on the screen here if you're meant to be a piece of spyware spying on governments around the world

and then also as well if you wanted to you can have a look throughout the contents of the apk tools past output so some of the stuff you could do is have a look for example use fgrep and you can search for strings like http and you can see quite a lot of stuff in relation to web requests that this particular apk makes and in particular here we can see some calls to talkingdata. net which is actually hosted on alibaba cloud so not one i'm interested in studying any further from an nso pegasus related standpoint okay so now we start to get into the meat of it then let's take a look at this other file this bdhcda file so let's just do a quick file on that and we can see it's a zip archive it's actually an apk and if we have a look at the file on virustotal it is a heavy hitter with relation to pegasus attribution lots of av vendors putting this in the pegasus bucket here joe sandbox as well also has a lot of data to go through from the execution of this apk but obviously we want to poke around it ourselves so one of the ways we can do that is obviously to use apk tool as i described earlier we can use apk tool d and run that against the actual file that will pass the file and will give us a folder we can cd into and then we can have a look at the manifest and the resources and any other files associated with this binary so for example let's cap the android manifest and we can see the android permissions this particular apk requests and this is kind of more what i would expect from pegasus right we can have a look through here there's an awful lot of permissions essentially if you can think of an android permission that a piece of spyware would be requested this seems to request it also as well we can see some names here of functions and method within the apk itself and these look to be encoded or encrypted in some way or just kind of obfuscated and then so that kind of sets my spider senses off going a little bit more as well so it just feels a little bit more like malware a little bit more malicious we can also use android studio as well so let's flip over to android studio we can load the apk into here and we can browse through and there's lots of stuff here there's loads of stuff that we can get our teeth into too much for this video so for example there are files like command shell lib k esu copier et cetera all stuff which is worthy of some further analysis really what i was interested in is these dot s-m-a-l-i these smallie files if that's how you pronounce it i'm not an android developer so i'm coming across as a complete noob i don't really mind but anyway i'm poking around this because i want to just kind of understand what is going on with this malware and if there's anything interesting here that i can pull at some threads so as i say i'm a completely novice with this i don't really develop or code in java or look at android applications on a regular basis but what i do want to do is just have a look and see if there's anything that stands out to me all i'm doing is picking files at random here and you can see there's i've got some strings which look like base64 strings and we've got some strings here which look like hashes or keys or something like that i've no idea what these strings are all about so this kind of format in android studio yes it's great for poking around for me and if you're going to start like debugging the code and things like that then maybe that's good for you as well but really what i want to do is pull out all of these interesting strings and dig into these smaller files a little bit more but using the android studio to pass the apk it means that we're looking at these files which are less readable for me anyway than if we converted the actual classes file to an actual jar and we can use another tool to decompile a jar and then get into the ribs of some source code so luckily there is a tool for that let's flip back to my terminal window here so let's come out of this folder and then what we want to do is use a tool called dex to jar so actually what we is unzip the actual file itself which is the apk i'll just call it unzipped into the unzip folder and then we'll cd into that folder here and then we can see we've got the classes. dex file and then this is the file that we're interested in and we want to convert this into a jar file so we can then decompile it so because i'm a complete noob and i can't remember how to run this i'll just see if i've got my command here we go so it's a shell script that you can download called dexter jar and we can run that against classes. deck so let's do that now and then what we can do i get a couple of errors here but whatever i get this jar file so if you notice here i've got this classes dexter jar. jar file now if i flip over into my windows virtual machine i'm going to use jd gui i'm going to load this file in here which is a java d compiler a little bit small to see on our screen but we'll pull out some stuff of interest in just a second and if i have a look at the what would have been those smaller files these are now class files and these now look like something more readable in terms of code for me and i can browse around this at my leisure now what i found interesting here we can see some of these base64 encoded strings and then followed by those strings which kind of look like hashes or whatever so it looks like local object is base64 decoded and then each byte is then xored with each byte in that big long kind of string variable it kind of looks like a hash and if you xor those together you will get a plain text result but what you can see is rather than having one single decoding function there is a decoding function for every single pair of these strings so a base64 decoding string and then also another key if you like and so we've got another one here we've got base64 encoded content and a key as well so we've got to kind of find a way of

automating the process here so what i took the liberty of is actually just using jd gui to dump all of the class files out and then cated all of those extracted all of the content using a little bit of regex which i'll share with you that i used in cyberchef and that extracts all of the content between strings so we've just left with the basic d4 encoder string and then the string that pairs with it which is being used as part of the xor routine i then used a little bit of python which is up on my github that you can go and use it's pretty simple it just takes in a file of that content excels those strings together and spits them out and then lo and behold this is the kind of content that you should end up with and these decoded strings really help you understand the true capabilities of this malware and the applications that it targets and some of the interesting strings from the file this particular file for example are creating password whatsapp twitter facebook skype viber etc all kind of stuff which is pertinent and relevant to pegasus malware infections so this certainly feels like the pegasus i was expecting there's a lot of references to the applications that pegasus is known to intercept and also the application permissions allow it to access pretty much every aspect of the device as well for example calls and messages and calendars and photos as well there's also several binaries that are stored in the resources of this apk as well all of them are available on virustotal or they don't appear specific to pegasus so one of them add k for example isn't is not stripped and therefore using the methods we saw earlier using ghidra you can load that in and it's quite straightforward to see that this particular code is looking at process injection i also sideloaded this app this apk using an android virtual device and i didn't see any evidence that the app was being loaded but running adb shell dump sys confirm the presence of the malware running and listening on the actual device what i should also draw your attention to as well if you have an android or ios device that you'd like to check for the presence of pegasus malware then i recommend a tool called mvt which is a tool developed by amnesty international for this specific purpose and can help you identify any potential infection but anyway this is the closest sample that i think out of that group of files that vx underground are sharing which exhibits the behavior that i would kind of expect from pegasus malware so if you want to dive in further there's some additional information in the research document that i've shared alongside this video so definitely go and check that out as well really what i'm going to suggest is don't blindly trust the attribution of others if you're studying a particular malware sample or family make your own assessment based on your own analysis and if the code is in fact what you think it is document and share your findings with the community as well i and others will benefit from your research as we saw in this case my opinion is that from the five files that are being advertised as pegasus i can only see one that has any kind of credible pegasus like features but even then i'll be honest with you i'm not 100 sure either okay so let's go back to the original story from 2016. it was clear that ahmed mansour had been a target for many years by nation state operatives who seemed to really want to compromise his devices what i found interesting was the two text messages he received back in 2016 they contain the following two urls and they can be broken into a regular expression but whenever i see a malicious url like this i immediately check to see if the domain is available for registration and in this case i felt pretty lucky because it was in fact available for registration so i quickly registered the domain i set up a simple engine xbox to monitor incoming web requests and of course i've been hosting nothing malicious all benign content but you know what i was really surprised by the traffic that i saw i'm well aware that http listeners and nginx boxes just get scanned to death on the internet and so i've discounted all of that kind of traffic just focused on hits to urls that follow that particular regular expression i thought to myself well maybe this could still be some researchers like me for example still performing analysis of these links maybe but what i saw was in excess of 1200 hits to these urls within the space of a week and what's more looking at the user agents and the referrers in the traffic it's clear that these are people who are clicking the links which have been sent through messaging apps like telegram and whatsapp on their phones so it raises a few questions about where this traffic is coming from who's still distributing these urls why are people clicking these links and so i've put together some rather extensive analysis of this web traffic in the research document that i alluded to earlier in the description of this video you can access the full report and i go into details about the access logs and also as well i plotted all of the ip addresses onto google maps using data from the max mine database to geolocate ip addresses and i found that pretty interesting the ip address is approximate to various locations around the globe but there are some notable clusters which have synergy with the original reports of countries known to be targeted by pegasus malware notably

egypt israel syria jordan lebanon iraq etc also there's a cluster around north africa in morocco and algeria and tunisia lots of hits across the eu etc also found as well from the max mine data an interesting correlation in the prominent isps that were generating the traffic notably telecom egypt and also yemen net as well and also you can get some pretty accurate results from max mine down to the nearest kilometer and so it's not actually hard to start identifying potential businesses or even potential individuals that would have been the target of this particular malware also as well i looked at the prominent referring sites of this traffic and this mainly showcases that telegram is the most popular referring messaging service to the hits that i observed and then also as well i looked at the traffic from whatsapp and i noticed there were some additional urls which were previously unreported so other urls which fit the same regular expression being clicked by users who are receiving messages via whatsapp all smells like that this is an ongoing campaign or there are certainly some malicious elements being distributed in the wild still that is worthy of some further investigation anyway if this is your thing you'd like some open source intelligence please check out the full report hopefully there's some interesting information in there and i certainly had a lot of fun standing up this web service and analyzing all of this traffic so in short pegasus malware is the most incredible piece of spyware that i've ever studied without having my hands on what i believe to be a true sample to play around with not only is the malware capable of compromising all data in real time from almost any mobile device on the planet the methods used by the nso group to propagate the malware mean there is literally no way to defend against this level of sophisticated attack forbidden stories has coordinated and produced some amazing journalism to showcase just how widespread this eavesdropping really is around the globe ultimately also showing how this malware is being misused by the governments around the globe who are purchasing from nso group and somewhat surprisingly as well i've been able to capture the probable victims of some of these campaigns who are still attempting to access some of these urls previously used by nso operators to compromise phones on mass my view though is that nothing really is going to change nso group are going to continue to operate continue to innovate and continue to develop new and ever more sophisticated ways to achieve their end target despite the publicity and journalism from forbidden stories we in the cyber research and defence community really can only help to minimize the impact when these infections do occur and hopefully we can give adversaries operating this malware a bit more of a difficult ride through sharing intelligence bolstering our defenses and working with victims to best protect their information thank you for taking the time to check out this video please also see the link in the description below where you can read the full kind of article and document in terms of my analysis you can see all of the methodologies i've used to analyze this malware and also piece together the threat intelligence as well and hopefully you'll find that of use it also if you love that kind of stuff then please feel free to check out my patreon patreon. com forward slash cyber cdh you can follow me on twitter cybercdh i look forward to speaking to you there take care