Pegasus Spyware Invades iPhones and Blackmails Victims

Pegasus Spyware is being used in a new extortion scam that seeks to blackmail iOS users. The data collected by Pegasus Spyware is used to scare victims into paying so that the data is not released. A month ago, Amnesty International disclosed that Pegasus spyware was installed on fully updated iPhones through a zero-day zero-click iMessage vulnerability.

A zero-click vulnerability is a hack that is performed without any interaction by the user. These are extremely dangerous and high-priority issues for teams once they are discovered.

Amnesty believes that Pegasus Spyware is used by governments to monitor the communication of politicians, journalists, human rights activists, and business executives worldwide.

This week, a threat actor has been emailing iOS users informing them their devices was compromised with a ‘zero-click’ vulnerability to install the Pegasus spyware software.

The scammer explains that Pegasus Spyware has been used to monitor the victim’s activities and that they have created videos of them during “the most private moments” of their lives.

The email warns that if a 0.035 bitcoin (approximately $1,600) payment is not paid, the threat actors will send the videos to the recipient’s family, friends, and business associates.

The full text of the email is as follows:

You can read the full text of this email below:

“Hi there
Hello, I’m going to share important information with you.

Have you heard about Pegasus? You have become a collateral victim. It’s very important that you read the information below.

Your phone was penetrated with a “zero-click” attack, meaning you didn’t even need to click on a malicious link for your phone to be infected. Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos and emails, record calls and secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram and Signal.

Basically, it can spy on every aspect of your life. That’s precisely what it did. I am a blackhat hacker and do this for a living. Unfortunately you are my victim. Please read on.

As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life. My only goal is to make money and I have perfect leverage for this.

As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life, when you are not expecting it.

I personally have no interest in them, but there are public websites that have perverts loving that content.
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know see those videos as well.

Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars). You need to send that amount here [Wallet Address]

I will also clear your device from malware, and you keep living your life. Otherwise, sh*t will happen. The fee is non negotiable, to be transferred within 2 business days.

Obviously do not try to ask for any help from anybody unless you want your privacy to be violated. I will monitor your every move until I get paid. If you keep your end of the agreement, you won’t hear from me ever again.

Take care.”

Fortunately, there are currently no payments to the wallet address contained in the email. It is possible that other emails may have different addresses which have been paid.

While it is most likely this truly is a scam – That is to say, that the targets don’t have Pegasus Spyware installed – these types of activities have proven lucrative. Similar scams have generated thousands of dollars for the hackers behind them.

Though these types of emails can elicit fear in people, it is always best to mark them as scams and delete the email, as they are rarely truthful.

Pegasus Spyware Analysis

Note: This Analysis was carried out by LookOut.

The attack is very simple in its delivery and silent in delivering its payload. The attack starts when the attacker sends a website URL (through SMS, email, social media, or any other message) to an identified target. The user only has to take one action–click on the link. Once the user clicks the link, the software silently carries out a series of exploits against the victim’s device to remotely jailbreak it so that the espionage software packages can be installed.

The user’s only indication that anything happened will be that the browser closes after the link is clicked. The espionage software contains malicious code, processes, and apps that are used to spy, collect data, and report back what the user does on the device. Pegasus spyware can access and exfiltrate messages, calls, emails, logs, and more from apps including, but not limited to:

 

In order to accomplish this, Pegasus spyware, once it jailbreaks the user’s phone, does not download malicious versions of these apps to the victim’s device in order to capture data, rather it compromises the original apps already installed on the device. This includes pre-installed apps such as Facetime and Calendar and those from the official App Store.

Usually, iOS security mechanisms prevent normal apps from spying on each other, but spying “hooks” can be installed on a jailbroken device. Pegasus Spyware takes advantage of both the remote jailbreak exploit and a technique called “hooking.” The hooking is accomplished by inserting Pegasus Spyware’s dynamic libraries into the legitimate processes running on the device. These dynamic libraries can be used to hook the apps using a framework called Cydia Mobile Substrate, known to the iOS jailbreak community, and which Pegasus Spyware uses as part of the exploit.

A user infected with Pegasus spyware is under complete surveillance by the attacker because, in addition to the apps listed above, it also spies on:
• Phone calls
• Call logs
• SMS messages the victim sends or receives
• Audio and video communications that (in the words a founder of NSO Group) turns the phone into a “walkie-talkie”

Access to this content could be used to gain further access into other accounts owned by the target, such as banking, email, and other services he/she may use on or off the device. The attack is comprised of three separate stages that contain both the exploit code and the espionage software. The
stages are sequential; each stage is required to successfully decode, exploit, install, and run the subsequent stage. Each stage leverages one of the Trident vulnerabilities in order to run successfully.

STAGE 1 Delivery and WebKit vulnerability
STAGE 2 Jailbreak
STAGE 3 Espionage software

The third stage deploys a number of files deployed in a standard unix tarball (test222.tar), each of which has its own purpose:

• ca.crt – root TLS certificate that is added to keystore (see Appendix A)
• ccom.apple.itunesstored.2.csstore – Standalone javascript that is run from the command line at reboot and is used to run unsigned code and jailbreak the kernel on device reboot
• converter – injects dylib in a process by pid. It is a renamed version of the cynject from the Cydia open-source library
• libaudio.dylib – The base library for call recording
• libdata.dylib – A renamed version of the Cydia substrate open-source library
• libimo.dylib – imo.im sniffer library
• libvbcalls.dylib – Viber sniffer
• libwacalls.dylib – Whatsapp sniffer
• lw-install – Spawns all sniffing services
• systemd – Sends reports and files to server
• watchdog
• workerd – SIP module

The attack investigated works on iOS up to 9.3.4. The developers maintain a large table in their code that attacks all iOS versions from 7.0 up to and including iOS 9.3.3. While the code we investigated did not contain the appropriate values to initially work on iOS 9.3.4, the exploits we investigated would still work, and it is trivial for the attackers to update the table so that the attack will work on 9.3.4.

Protection

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.