Pegasus spyware, developed by the Israeli company NSO Group, was employed in a number of attempted as well as successful hacks of several smartphones and personal computers belonging to journalists, activists, and business executives worldwide, according to an investigation by the Washington Post and its other consortium members under Project Pegasus.
The most affected countries are:
- Mexico
- Azerbaijan
- Kazakhstan
- Hungary
- India
- United Arab Emirates
- Saudi Arabia
- Bahrain
- Morocco
- Rwanda
- Togo
On July 18, 2021, Subramanian Swamy, a member of the Parliament of India, tweeted about rumors associated with two newspapers publishing a report to expose the hiring of an Israeli firm for spying activities.
Figure 1 Tweet by Subramanian Swamy
Pegasus is a spyware developed by the Israeli cyberarms firm NSO Group. It can be covertly installed on mobile phones and other devices. Pegasus is an advanced spyware used to infiltrate phones using 0-day exploits present in any commonly used social media applications or by tricking users into installing the malware through targeted phishing attacks.
Below is the description of Pegasus from the NSO group (source: leaked documentation of the NSO group).
The spyware has allegedly been used for tapping into the phones of Cabinet Ministers from the Government of India, Leaders of the Rashtriya Swayamsevak Sangh (RSS), Judges of the Supreme Court of India, and journalists.
In the past, on several occasions, Pegasus was being used to spy on Indian government officials. In 2019, Facebook told a California court that the Pegasus software was used to hack into the phones of at least 121 Indian citizens. In the same year, the spyware also exploited a vulnerability on WhatsApp to carry out a remote surveillance attack for infiltrating the phones of 1400 individuals globally, Including lawyers, activists, etc.
Pegasus Initial Vector
The threat actor shares the URL to the victim via messaging apps like WhatsApp. Once the user clicks on the URL, they are redirected to the exploit landing page for delivering of the additional payload. After successful exploitation, it installs the spyware on the victim’s mobile. Earlier, Pegasus was known to target iOS devices, and researchers later confirmed that the threat actors have been using Pegasus to target Android devices.
Capabilities of Pegasus
The image below showcases the installation methods and capabilities of Pegasus.
Figure 2 Installation Techniques and Capabilities of Pegasus
The capabilities include exploiting the web browser, remotely jailbreaking the iOS using kernel exploits, and bypassing security mechanisms like Kernel address space layout randomization (KASLR).
Earlier in 2016, the malware has used the 3 CVE’s, also known as Trident, for targeting the iOS devices. These are:
- CVE-2016-4657 – Used for the initial shellcode execution and launched by the web-based Exploit Kit (EK).
- CVE-2016-4655 – An exploit used to bypass KASLR to get the Kernel base address.
- CVE-2016-4656 – Using this exploit, threat actors can jailbreak the device and perform software installation.
After installation of the malware provides complete access to the device. The capabilities of malware range from call recording to accessing device settings.
The following table depicts few of malware capabilities.
| Capabilities |
| Call Recording |
| Email and SMS |
| Browser History |
| File retrieval |
| Device Settings |
Table 1 Malware capabilities
On July 15, 2021, the Washington Post released an article about a private Israeli firm that has been helping governments to hack into phones of journalists and human rights advocates. Similar to the NSO Group, many other Israeli agencies are involved in such activities, wherein they sell such sophisticated malware/spyware to governments. Recently, a private agency firm, Candiru was found selling spyware, as confirmed by Citizen Lab. The malware called DevilsTongue, and created by Candiru, had been used for targeting windows machines.
The kill chains of the malware created by the NSO Group and Candiru have many similarities. For instance, both use browser-based exploits to deliver payload, which makes us speculate that the spyware are interconnected.
The high-level analysis of the DevilsTongue malware is shown below. As per the Microsoft Threat Intelligence Center (MSTIC), the threat actor used two windows 0-day exploits, such as CVE-2021-31979 and CVE-2021-33771 for targeting users. The exploits were chained so that they could escape browser sandbox and gain kernel code execution. Using this chain, the threat actor was able to install the DevilsTongue malware on the victim machine.
As per the Microsoft analysis, the DevilsTongue is a complex modular multi-threaded piece of malware written using C and C++ language. It is appropriately stripped so that all PDB file symbols are removed, and strings/configuration data are encrypted. The malware functionalities are encrypted when it’s on disk, and it decrypts its functionality in the memory. Also, the malware can access both Operating System (OS) modes, ie. kernel and user modes, which makes it a highly sophisticated malware.
Initially, the malware uses the COM Hijacking technique by overwriting the legitimate-DLL path with the Malware first stager DLL path to achieve persistence in the victim OS. The first stage DLL is loaded into the system process “svchost.exe” to run it with SYSTEM privilege, and the first stage payload is loaded using COM Hijacking. This leads to a breaking of the legitimate functionality. Interestingly, the malware uses a series of techniques to load both the legitimate-DLL and malware-DLL. After this, the malware decrypts other stager modules encrypted in “.dat” files. These stagers have capabilities like file collection, registry query, credential dumping from the LSASS process and browsers, and cookies stealing, among others.
The DevilsTongue malware is also known to be using a legitimate signed driver file for malicious purposes. The driver file belongs to the “Physical Memory Viewer” tool provided by Hilscher, as shown in the figure below.
Figure 3 Physical Memory Viewer Tools provided by Hilscher
As per our investigation, the Physical Memory Viewer Tools by Hilscher and the IoC shared by Microsoft have the same hash, as highlighted below.
Figure 4 Hashes of legitimate x64 physmem.sys file.
The use of this driver is to proxy specific API calls via the kernel for evading detection.
The following table showcases the malware artifacts on the victim’s machine
| Path |
| C:\Windows\system32\drivers\physmem.sys |
| C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat |
| C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat |
| C:\Windows\system32\config\config\startwus.dat |
Table 2 Malware artefacts
MSTIC has not provided any malware hashes because, except for the third-party drivers, DevilsTongue files have unique hashes, and hence are not a useful IoC.
Based on the behavior of the Pegasus and DevilsTongue malware, we may speculate that both the malware are interconnected. However, there’s not enough evidence to support this, and the Cyble Research team is continuously monitoring the activities of the malware and will keep updating this space for more information.
Our Recommendations
We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:
- Apply patches for CVE-2021-31979 and CVE-2021-33771 provided by Microsoft.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1203 | Exploitation for Client Execution |
| Persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking |
| Privilege Escalation | T1574 | Hijack Execution Flow |
| Defense Evasion | T1574 T1574 T1055 | Hijack Execution Flow Masquerading Process Injection |
| Credential Access | T1555 T1003.001 T1539 | Credentials from Password Stores OS Credential Dumping: LSASS Memory Steal Web Session Cookie |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d | Hash (Non-malious) | SHA-256 of physmem.sys (x64) |
| 7841fe621eb9bf443e19bb88c5df1d9ea14feed829d18e84258380dc462816fd | Hash | SHA-256 of CVE-2021-33771 |
| 63a3c1b2e1ca65bf71322b84305f612bc625ac40eff667f56655022d05cf0be0 | Hash | SHA-256 of CVE-2021-31979 |
| bf4bedf2722525ae269db0d661d38010671144dec9dc38471f77915dcfb6772d | Hash | SHA-256 of CVE-2021-31979 |
| fc869c9853eef46976ecc03bf109f409bf391413862637dec98951df1c8c8b7d | Hash | SHA-256 of CVE-2021-33771 |
Yara Rules:
import "pe"
rule DevilsTongue_HijackDll
{
meta:
description = "Detects SOURGUM's DevilsTongue hijack DLL"
author = "Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-07-15"
strings:
$str1 = "windows.old\\windows" wide
$str2 = "NtQueryInformationThread"
$str3 = "dbgHelp.dll" wide
$str4 = "StackWalk64"
$str5 = "ConvertSidToStringSidW"
$str6 = "S-1-5-18" wide
$str7 = "SMNew.dll" // DLL original name
// Call check in stack manipulation
// B8 FF 15 00 00 mov eax, 15FFh
// 66 39 41 FA cmp [rcx-6], ax
// 74 06 jz short loc_1800042B9
// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; 'è'
$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}
// PRNG to generate number of times to sleep 1s before exiting
// 44 8B C0 mov r8d, eax
// B8 B5 81 4E 1B mov eax, 1B4E81B5h
// 41 F7 E8 imul r8d
// C1 FA 05 sar edx, 5
// 8B CA mov ecx, edx
// C1 E9 1F shr ecx, 1Fh
// 03 D1 add edx, ecx
// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch
// 44 2B C1 sub r8d, ecx
// 45 85 C0 test r8d, r8d
// 7E 19 jle short loc_1800014D0
$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}
condition:
filesize < 800KB and
uint16(0) == 0x5A4D and
(pe.characteristics & pe.DLL) and
(
4 of them or
($code1 and $code2) or
(pe.imphash() == "9a964e810949704ff7b4a393d9adda60")
)
} About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
