How did/does Pegasus Spyware work?
Cyber-attacks have gone to such an extent that if the attacker has planned the attack sophistically, the victim wouldn’t even realize that its devices have been compromised.
Well, Pegasus Spyware worked just like that, hell, The Watcher from MCU could relate more. Let’s start with Spyware to fill you in, Spyware is a kind of malware that aims to gather sensitive information about the victim and send it to the attacker.
The reason this spyware has been named Pegasus is that it can be sent “flying through the air” to infect cell phones, said NSO co-founder Shalev Hulio.
I, myself being a cybersecurity enthusiast have been learning about this spyware since it got resurfaced in July 2021, last I heard about this was in 2016 when it was first got discovered due to a failed installation attempt on the iPhone of an Arab human rights activist, Ahmed Mansoor. Let’s talk about how that happened and how did Pegasus work then.
In 2016, Ahmed suspected that he’s being targeted again as he’s been attacked by different hacking groups, and reached out to Citizen Lab saying he’s been targeted again. When Bill Marczak, Senior Researcher at Citizen Lab got a hold of Ahmed’s text messages, written in Arabic, which said “New Secrets about Torture of your audience in State Prison”, and of course it had a link, and the link to the same domain that Citizen Lab had begun analyzing but had no idea about.
Somehow, Citizen Lab managed to get the link, but they tackled this link quite smartly, they set up a kind of monitor, to capture network traffics and in such a way that they could capture the encrypted traffic, and took the snapshots of the iPhone to compare it with before. They recorded the whole incident in case of any pop-up that had appeared on the screen for an instant while carrying this investigation.
Everything was set up and ready to go, they clicked on the link and waited, the browser crashed and suddenly iPhone started establishing a connection with NSO’s server. But that wasn’t the exciting part, the exciting part was that they suspected a remote jailbreak on the iPhone and it was the first of its kind, a new kind of spyware that was pre-stealthy and using a chain of zero-day exploits. A zero-day exploit is an exploit that hasn't been discovered before by anyone or has been discovered but the patch hasn’t been prepared for it.
This specifically worked with iPhones, fully patched and on latest models, had three stages to the attack:
- It required the user to click a malicious link using their iPhone, it opens the Safari Browser, then the user visits the website. Now, Safari uses the tool called WebKit, which acts as the browser engine, used to render any transitions, animations, transformations happening when you visit a website, in the case of iOS, iPadOS, macOS, Linux. WebCore is used in the Android case.
Now back to the procedure, when the user visits the website a JS program runs, and that JS program tries to exploit a bug (CVE-2016–4657: Memory Corruption in Webkit — A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.) in WebKit, which would allow it to write data to the phone, through this bug and WebKit, the JS program downloads a malicious program.
- Now, Apple has locked down their iPhones to prevent unknown apps to get installed on the iPhone, the app must be available on the Apple App Store to get installed on the iPhone, concluding that the program that just got downloaded is useless unless the iPhone is jailbroken, which exactly is the stage of this malware, it uses an exploit to Jailbreak the iPhone and then it allows it to run any app on the iPhone. Well, it's not easy to jailbreak the iPhone just like that, although it may seem like that. To jailbreak the iPhone, the malware used two totally different exploits:
CVE-2016–4655: Information leak in Kernel — A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016–4656: Kernel Memory corruption leads to Jailbreak — 32-bit and 64-bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Note: These exploits were zero-day exploits meaning Apple had no idea about these vulnerabilities.
- Once the iPhone was jailbroken, it just had to run the malicious app and take the benefit of iPhone features, like reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps and sending it back to the attacker.
Now that I think of it, I believe this is how Apple got the idea for those mic and camera access notification dots. That was how Pegasus Spyware worked back in 2016 but the fact that it got resurfaced in July 2021 makes it more interesting to look at.
Turns out, this time Pegasus was using a zero-click iMessage exploit and that is, they can run without any interaction from the victim. Once installed, Pegasus is capable of running arbitrary code, extracting contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps. It makes sense too, with Apple iOS 14.6 update patching the WebKit vulnerability, the other two new zero-day kernel exploits were still being used.
A French human rights lawyer (CODE FRHRL2) got targeted, a lookup of a suspicious iMessage account unknown to the victim, followed by an HTTP request performed by the com.apple.coretelephony process was noticed. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack. We found traces of this HTTP request in a cache file stored on disk at /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db containing metadata on the request and the response. The phone sent information on the device including the model 9,1 (iPhone 7) and iOS build number 18C66 (version 14.3) to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months. At the time of this attack, the newer iOS version 14.4 had only been released for a couple of weeks.
— Amnesty International
So, that’s been it for this story. Hope you guys learned something and enjoyed the story. If you did, consider following!
☮
Here are some other great stories:
If you like my work, you can buy me a 🍩 here.
