Carter Dack, 2023.
Nation-state developed malware is often highly advanced and secretive, due to the intelligence advantage that it can produce. In the modern cyber arms race, secrecy is critical when the name of the game is to exploit novel software vulnerabilities. Pegasus is a remote espionage tool that can be installed onto a victim’s mobile device without them knowing, and used by an attacker to have full access to the device and its contents.
Developed by the Israeli cyber intelligence firm NSO Group, Pegasus has been used in several high-profile cases, often targeting diplomats, journalists, billionaires, and cartel kingpins, and grew to prominence due to its silent infection vectors. These vectors, which require little to no interaction from a victim, is a highly sought after capability for spyware, as it becomes unlikely that users will suspect they are infected. The infection vectors and capabilities of Pegasus truly highlight the sophistication of the software as an espionage tool and have laid the groundwork for novel legislation and defense mechanisms in the modern cyber battlefield. This article will discuss how the tool works, its capabilities, and how it has changed over time with the ever-evolving cyber landscape.
Early Pegasus Download, Exploitation, Installation, and Persistence Techniques
Pegasus was primarily developed to target the iOS operating system and originally took advantage of a bundle of three (3) zero-day exploits, referred to as “Trident.” All of which were patched by Apple in iOS version 9.3.5 (Release in August 2016). Trident leverages the following CVE’s:
Together, these exploits allow for a remote attacker to send a malicious URL (Exhibit I), which when loaded, silently installs and runs jailbreak software on the user’s mobile device, compromising it for use by the attackers.
Exhibit I – Malicious Phishing URLs via CitizenLab
Once clicked, the URLs will take the victim to a malicious webpage (often a blank page) which closes after a few seconds. Upon loading, the device is served the webpage containing malicious JavaScript which leverages CVE-2016-4657, followed by intermediate files (final111), and a final payload (test111.tar). These three elements form the Trident explain chain. This web traffic can be seen in Exhibit II.
Exhibit II – Installation Web Traffic via CitizenLab
Once installed from the malicious website, Pegasus can read and extract data from various applications on a victim's mobile device, a capability intentionally designed by Apple to be unavailable through containerization. Ordinarily, applications on an iPhone operate within individual virtual containers, isolated from the device's kernel. Jailbreaking, however, grants complete access to the device's file system and thus access to all containers. Effectively, the Pegasus software is a customized, remote jailbreaking tool.
Upon exploiting the kernel, Pegasus diables built-in protective mechanisms, remounts the system partition, purges the Safari cache, and writes jailbreak files, including the primary loader located at /sbin/mount_nfs. The exploit also removes /etc/nfs.conf (the file system configuration file needed for mounting a new partition), prompting the execution of /sbin/mount_nfs (the stage 3 jailbreak loader). As /sbin/mount_nfs operates with root privileges, the code executes with full root privileges. Pegasus also secures persistence after device reboot by replacing the system daemon "rtbuddyd" with a copy of the "jsc" binary and creating a link to a custom script for its reinstallation. "Jsc" facilitates the execution of JavaScript using the WebKit engine independently of a web browser context.
The aforementioned installation mechanisms are those that were analyzed primarily by CitizenLab, though it should be noted that NSO group highlights multiple installation mechanisms in their marketing brochures. The mechanism described above is the “Enhanced Social Engineering Message (ESEM)” tactic, which is when a targeted message is used to prompt the victim to click a link. Another option within the remote installation mechanisms is that of “Over-the-Air (OTA),” where a push message is remotely and silently sent to the victim’s device. This message then triggers the download process, all without any interaction from the victim. It should be noted that analysis of OTA infected devices and software is much more difficult due to the built- in self-destruct mechanisms that remove all Pegasus related software under a certain software context needed for analysts such as sandboxing or jailbreaking. Analyzing the ESEM installed software is made easier since it is actively being served online and its infrastructure can be interacted with by security researchers.
Additional installation mechanisms are also mentioned by NSO Group that are possible with more physical access to the target’s device. The first mechanism is called “Tactical Network Element,” which uses a Base Transceiver Station (BTS), such as cell towers, to capture the victim’s phone number, at which point, an OTA installation is initiated. The other option here is the full “physical” installation mechanism in which an NSO Group practitioner manually installs the spyware onto the device. Exhibit III shows the various devices that are vulnerable to Pegasus, as advertised by NSO Group in an early sales brochure.
Exhibit III – Supported Operating Systems & Devices via NSO Group
Post-Compromise Behavior
Once Pegasus has been successfully downloaded and installed onto a victim’s mobile device, it is able to communicate with predefined Command and Control (C2) infrastructure which can feed and receive commands and sensitive data. Interestingly – albeit terrifying – Pegasus employs the ability to update its C2 infrastructure on the fly, should the infrastructure change or become unavailable. This feature is further bolstered by allowing updates to occur out of band of http/https, meaning that other mechanisms such as SMS can be used to inform Pegasus software of new C2 locations. This functionality was unprecedented at the time of initial release around 2015 and allowed for the maintained connection to C2 in the event that infrastructure is compromised or taken down.
The C2 infrastructure is ultimately operated and controlled by the attacker (either NSO group themselves or the customers thereof), and for obvious reasons, there is little information about it. Some screenshots however have been identified which show some of the capabilities and interface of the control surface (Exhibit IIII).
Exhibit IIII – C2 Control Interface via Multiple Sources
The Pegasus control interface above shows some of the powerful capabilities it has to offer such as GPS tracking, real time audio recording, IM conversations, and much more. These capabilities unlock essentially everything an attacker might be interested in on a victim’s mobile device. Unlike passive communications interception often conducted by Nation States in cooperation with ISPs and communications providers, this data is content rich, more than just metadata.
With the benefits of a silent installation, a rich data feed, and an easy to use interface, it is clear why Pegasus was being sold by NSO Group via government contracts for upwards of $10mm.
The New Generations of Pegasus
Pegasus is still being identified in the wild as recently as October 2022 and over the years, NSO Group has taken advantage of multiple zero-click exploits in order to continue their Pegasus service offerings. In 2022, CitizenLab gained insight into new NSO Group exploit activities, discovering novel infections. Analysis reveals that NSO Group is employing three distinct iOS 15 and iOS 16 zero-click exploit chains in its new versions of Pegasus. One of these, labeled "PWNYOURHOME," targets HomeKit and iMessage while another, known as "FINDMYPWN," targeted the Find My feature and iMessage.
Additional analysis identified another exploit called "LATENTIMAGE" in 2022, which was distinct from FINDMYPWN but shared similarities. Notably, victims using iOS 16's Lockdown Mode briefly received real-time warnings during attempted exploitation by PWNYOURHOME, potentially deterring successful attacks. Despite the possibility of NSO Group devising workarounds, there is currently no evidence of successful PWNYOURHOME use on devices with Lockdown Mode enabled.
While each update becomes more and more advanced, constantly side-stepping Apple’s security controls, NSO Group faces increased scrutiny and has sparked new legislation, trade agreements, and even “lockdown mode” for iOS.
Conclusion
Nation States are often referred to as “Advanced Persistent Threats” (APTs) for a reason. They have the money, motivation, and time to carry out highly sophisticated and targeted attacks against the world’s most critical infrastructure. Individuals should understand how to properly limit their attack surfaces – whether you are a target for Pegasus or not – in order to reduce risk and mitigate harm.
Pegasus is not the first and will not be the last example of an extremely sophisticated cyber weapon and the developers of these weapons possess great power, often made more powerful by the governments that support their activities.
“About Lockdown Mode.” Apple Support, 24 Oct. 2022, support.apple.com/en-us/HT212650.
DocumentCloud, www.documentcloud.org/documents/4599753-NSO-Pegasus. Accessed 15 Aug. 2023.
“How NSO Group Helps Countries Hack Targets.” VICE, 31 Oct. 2019, www.vice.com/en/article/gyznnq/how-nso-group-helps-countries-hack-targets.
Marczak, Bill, John Scott-Railton, Bahr Abdul Razzak, and Ron Deibert. “Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of IOS 15 and IOS 16 Zero-Click Exploit Chains.” The Citizen Lab, 20 Apr. 2023, citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/.
Marczak, Bill, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, et al. “Forcedentry: NSO Group Imessage Zero-Click Exploit Captured in the Wild.” The Citizen Lab, 15 Aug. 2022, citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/.
Marczak, Bill, John Scott-Railton, The Trident Exploit Chain:CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code executionCVE-2016-4655: An application may be able to disclose kernel memoryCVE-2016-4656: An application may be able to execute arbitrary code with, et al. “The Million Dollar Dissident: NSO Group’s Iphone Zero-Days Used against a UAE Human Rights Defender.” The Citizen Lab, 19 Aug. 2022, citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/.
Peterson, Mike. “Rare Pegasus Screenshots Depict NSO Group’s Spyware Capabilities.” AppleInsider, 5 Aug. 2022, appleinsider.com/articles/22/08/05/rare-pegasus-screenshots-depict-nso-groups-spyware-capabilities.
Technical Analysis of Pegasus Spyware - Lookout, info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf. Accessed 16 Aug. 2023.