image by Pixabay – flying pegasus trojan horse

The first time Pegasus Spyware Software was discovered was in 2016 by Mr. Ahmed Mansoor, an Arab human rights defender.

Mr. Mansoor first encounter was when he received a text message telling him that he could be provided with “ secrets and information” regarding the torture that take place at the UAE prison. The text message provided him with a link to click and follow to be able to have access to the “secrets.”

Without hesitation, Mr. Mansoor forwarded the link to the Citizen Lab. The Citizen Lab is a lan that studies information control, network surveillance, content filtration that pose risks to human rights and internet security. The Lab functions through collaboration with research centers, individuals, and organizations. They apply mixed strategies like field research, data mining, research analysis, computer generated interrogations, policy analysis, qualitative social science, and legal analysis.

NSO Group Pegasus spyware

What Citizen Lab discovered, is that the link was a spyware and that by clicking the link it could have jailbroken his phone through social engineering. The team found out that the code used had a kernel mapping table that was collected data in form of values and storing them since 2013 when iOS 7 was first released.

The spyware uses numerous exploits, three major vulnerabilities the spyware targets include:

1. CVE -2016-4655: This is the information that is leaked in a kernel that maps vulnerabilities and leaks the information to the attacker allowing the attacker to calculate the location of the kernel in memory.

2. CVE-2016-4656: This is a 32 and 64 bits iOS kernel memory corruption that allows attacker to jailbreak the device and install surveillance software.

3. CVE-2016- 4657: This is the vulnerability in the safari WebKit that provides the attacker to exploit the device by clicking a link sent to them.

The Pegasus Spyware Anonymizing Transmission Network (PATN)

The spyware uses Control and Command (C&C) infrastructure to perform the attack. The spyware achieves this by sending commands to the pegasus target. The iterations includes over 500 domains names, network infrastructure, and DNS servers.

Malware image

The PATN works by registering high port numbers for their online infrastructure in order to avoid any conventional internet scanning. The spyware uses random URL and subdomains that’s unique per every exploit attempt.

The best way to establish defense against this type of spyware would be for users and developers to have control over the software. The full control will enable the user to fully inspect the spyware software and to quickly detect and patch vulnerabilities and get to switch components off physically.

If you have any question or comment, do not hesitate to ask us.

Quote: The moon looks upon many night flowers; the night flowers see but one moon. – Jean Ingelow