Recently I've been looking into #Pegasus #Malware and found myself in a rather unique threat intelligence position.

To talk about it, here's...
a Thread ๐Ÿงต
a Blog ๐Ÿ“–
and a Video ๐ŸŽฅ

In July 2021 @FbdnStories produced an astounding collection of articles highlighting NSO Group's Pegasus malware and its apparent misuse throughout Governments across the globe. @amnesty wrote about Pegasus in 2016 where a prominent human-rights activist was targeted...
Back in 2016 the vehicle to infect an iPhone with Pegasus was the #trident suite of vulnerabilities. In 2021, a vuln known as #megalodon was being used, a zero-day in iMessage which required zero user-interaction...
Many in the community reportedly had samples of Pegasus, I took a look and came to some different conclusions...
One sample did exhibit some Pegasus-like behaviour, and had an interesting string-encoding routine within the code to hide much of its functionality. I used this to decode all the strings within the package.
Many of the decoded strings relate to Pegasus-like capability. Such as intercepting messages, reading location data, tracking online activity etc. A full dump of the strings I extracted can be found here:
In 2016 Ahmed Mansoor was sent 2 SMS's with URLs which would lead to a Pegasus infection. I found the domain in these URLs was available for registration. I registered the domain and stood up a HTTP listener.
To my surprise I found 1000+ hits to URLs matching this regex in a week. I've analysed the access logs and my overall malware analysis in this document:โ€ฆ
Many of the hits are from users clicking links sent to them via WhatsApp, Facebook and Telegram. I mapped the victims using maxmind and noted synergy with countries known to have been extensively targeted with Pegasus malware.
Oftentimes the data within maxmind is accurate to the nearest 1km, therefore it's possible to dig deeper into the individuals or organisations may be the target of this malware.
As well as the Google doc summarising my thoughts, methods and findings I've uploaded a video to YouTube where you can see the methods I used to analyse the various samples and talk through some findings.


โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Colin Hardy ๐Ÿ’ป

Colin Hardy ๐Ÿ’ป Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybercdh

25 Jan
Here's why you should block and monitor .JNLP files

๐Ÿ‘‰ They're XML files that can Download and Run content from remote locations... Image
Here, the JNLP file leads to a malicious JAR which in turn downloads Info-Stealer malware executable, disguised as a JPG... Image
The malware appears to be packed with UPX but the adversaries don't make it easy to unpack... ImageImage
Read 8 tweets
12 Jan
#CrowdStrike have produced fascinating research into #SUNSPOT malware, which was used to implant the SUNBURST / SolarWinds backdoor.

Here are my Threat Hunting tips to:

โžก๏ธ Find the malware on disk
โžก๏ธ Find the persistence
โžก๏ธ Decrypt the log files
โžก๏ธ Find if it's running

The malware exists on disk as taskhostsvc.exe

You can use the following commands to look for files on Windows

dir taskhostsvc.exe /S /B
where /r . taskhostsvc.exe
SUNSPOT used a scheduled task set to execute when the host boots

You can find Scheduled Tasks so many ways; two methods are to use Autoruns (from sysinternals) or browse the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
Read 6 tweets
3 Jan
#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... ๐Ÿ‘‡
Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.

Now, unzip the contents and you should have something like this
Read 13 tweets
31 Dec 20
#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread ๐Ÿ‘‡
Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API Image
These GET parameters are designed to contain

"code" - a blob of C# code which is then compiled
"clazz" - the name of a class which is to be instantiated
"method" - the name of a method to call within the clazz
"args" - supplied to the aforementioned method Image
Read 6 tweets
15 Dec 20
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread ๐Ÿ‘‡
The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand
FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking forโ€ฆ
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!