Hacking Book | Free Online Hacking Learning


tracking nso spyware pegasus in 45 countries

Posted by agaran at 2020-03-17

Recently, citizen Lab of Canada has identified Pegasus, a well-known spyware of NSO, an Israeli monitoring company, through the development of new scanning and matching technology. It has been widely used in network intrusion activities in 45 countries around the world by a number of attack organizations. The following is the relevant research and analysis of citizenlab.

Main findings of citizenlab

From August 2016 to August 2018, we scanned Pegasus related servers of global exposure network according to the matching mode. After that, we found that 1091 IP addresses matched our set fingerprint, and there were 1014 domain names associated with these IP addresses. With the help of Athena, we classify all Pegasus control terminals matched into 36 different control systems, each of which corresponds to a different hacker organization or attacker.

Combined with 1014 related domain names, through DNS cache probing analysis, we have identified Pegasus activity traces in 45 countries, at least 10 of which are active cross-border intrusion monitoring activities.

Our survey profile reflects the bleak human rights situation in the context of the global proliferation of NSO business. Analysis shows that at least six of the countries involved in surveillance activities have previously involved the abuse of spyware to monitor civil society groups, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.

Pegasus may also be used by countries with suspicious human rights records and abusive behavior records based on national security. In addition, we have found some signs involving political themes in the network monitoring targets of several countries. Therefore, it is questionable whether this spy monitoring technology is used in legal criminal investigation activities.

Background summary

Pegasus is a mobile espionage software developed and sold by NSO company, an Israeli "cyber weapons" supplier. In order to achieve target monitoring, the attacker will first construct a special link containing vulnerability exploitation and send it to the target's mobile phone. Once the target clicks on the link, a series of 0-day attacks will be realized, and malicious devices will be installed under the circumstances of concealment and no permission Software, and eventually an attacker can control the phone. After that, the attacker can remotely control the victim's mobile phone through command and C2 server, steal sensitive information, and return information including password, contact list, calendar events, SMS and voice call of popular chat app. The attacker can even remotely capture the activity behavior near the mobile phone by the victim's mobile camera and microphone.

Pegasus exploits links and C2 servers using HTTPS, which requires domain name registration and maintenance by attackers. In order to increase concealment, the domain names registered by attackers sometimes disguise themselves as mobile operators, online services, banks or government services. Multiple domain names may be registered under the name of an attacker, which are used to send links and use C2 servers. In most cases, Pegasus related domain names will eventually resolve to the NSO or the cloud virtual server rented by the attacker, which is commonly referred to as the front-end server. After that, these front-end servers will forward traffic or data to the back-end server actually controlled by the attacker through multiple transit nodes.

As early as August 2016, Ahmed Mansoor, a dissident in the UAE, was attacked by Pegasus, the NSO spyware. After clicking the received SMS, the attacker used three 0-day vulnerabilities to "escape from prison" the Mansoor mobile phone and installed the persistent spyware. Therefore, we launched an investigation into the attack. Through fingerprint pattern matching, we found out the characteristics of Pegasus vulnerability utilization link and C2 server behavior, and scanned and identified the front-end servers matching the whole network, and finally found 237 front-end servers. But just a few days before we released the report, NSO suddenly offline all front-end servers. After we released the report, a small number of Pegasus front-end servers quietly went online again. However, at this time, the fingerprint mode of these front-end servers is completely different from that before. Our 2016 analysis report is also the first to disclose Pegasus's report. After that, we re corrected the fingerprint pattern according to Pegasus's new activity features, and carried out regular full network scanning and identification.

Current findings

Between August 2016 and August 2018, we detected a total of 1091 IP addresses and 1014 domain names related to Pegasus, and classified them into 36 different control systems according to relevant characteristics. Among these 36 different control systems, we found that 33 of them appeared in the invasion and attack activities of 45 countries, including Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d'Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait and Kyrgyzstan Stan, Latvia, Lebanon, Libya, Mexico, Morocco, Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, United Arab Emirates, Uganda, United Kingdom, United States, Uzbekistan, Yemen and Zambia Asia. According to the national DNS server, we make a geographical location judgment. If VPN and satellite transmission network are involved, there may be some errors in the result. The following are the countries and regions involved in the Pegasus attacks:


In 2017, after a retrospective analysis, we found that dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, as well as an international investigation agency based in Mexico were all invaded by Pegasus spyware. After our disclosure, Mexico has exposed a political scandal called ා Gobierno ESP í a, which has led to an ongoing criminal investigation, which is still ongoing as of the date of this report. According to the monitoring, three different Pegasus attack organizations are still active up to now after our previous disclosure of the abuse of Pegasus in Mexico.

Gulf Cooperation Council (GCC) countries

We found that the use of Pegasus spyware has increased significantly in the GCC countries in the Middle East. In general, we have identified at least six attack organizations operating in GCC countries in the region, two of which are mainly targeting the UAE, one is targeting Bahrain, and the other is targeting Saudi Arabia. In addition to the GCC national mission, three other attack organizations also carry out invasion monitoring in areas other than central and northeast Africa, including Canada, France, Greece, the United Kingdom and the United States.

GCC countries have always been known for abusing monitoring tools to track dissidents, just as Ahmed Mansoor, the UAE activist, was attacked by Pegasus on his mobile phone in 2016. Before that, he had been attacked by attackers using finfisher and hacking team's spyware. Bahrain also used finfisher from 2010 to 2012 In May and June 2018, Amnesty International reported that one of its employees in Saudi Arabia was hacked by Pegasus.

Other countries

We have identified five attack groups that are very concerned about Africa, one of which seems to be mainly concerned with Togo, a West African country that is a strong ally of Israel and whose long-time ruling president has used torture and force against the opposition. The attack group against Togo used a website with the words "Nouveau president" and "politics infos" to spread the infection of Pegasus spyware. There is an attack group against Morocco, as well as an invasion mission against countries including Algeria, France and Tunisia. In addition, we have found several attack organizations involving Israel, four of which have launched an invasion inside Israel, and one has launched an invasion outside Israel in the Netherlands, Palestine, Qatar, Turkey and the United States.

Identify Pegasus infrastructure for cyber attacks

In this section, we will focus on how to track and identify the infrastructure of Pegasus to carry out network attacks from the launch of Pegasus in 2016 to now.

In August 2016, in response to the mobile phone intrusion of Ahmed Mansoor, a UAE activist, we, together with lookout lab, revealed the true face of Pegasus for the first time in the world. The attacker used three 0-day vulnerabilities of Apple IOS 9.3.3 to realize the hidden intrusion control of iPhone. Later, we disclosed the vulnerability to apple, which added the update to the IOS 9.3.5 upgrade package in time, temporarily blocking the path of Pegasus infection. A few days before the release of our technical report, according to our network scanning and identification, it was found that all Pegasus front-end servers we detected earlier, except for C2 servers, were offline without any reason.

2016 - new fingerprint mode: bait page

After that, we tried to discover the new network infrastructure of Pegasus, so we explored the bait page style / redirect.aspx and / support.aspx of Pegasus server response across the network. Because the display function of the decoy page only exists in the server code of the spyware, it is easy for us to create relevant fingerprint matching patterns of the decoy page. By using these fingerprint patterns to identify and detect the whole network, we can find that other Pegasus related attack organizations are controlling the back-end control system.

2017 to 2018 - decoy page disappears

After we found the Pegasus bait page, NSO gradually removed the / redirect.aspx and / support.aspx styles related to the bait page, further modified the server code, and closed the request connection data response channel except for the effective vulnerability utilization link and special path, which was consistent with the pace of finfisher and hacking team of other spyware companies.

Then, after studying several suspicious new Pegasus server behaviors, we developed three different Pegasus behavioral fingerprints E1, E2 and E3, as well as a new classification tool Athena. Fingerprint E1 is a transport layer security fingerprint, while fingerprint E2 and E3 represent two different agent configuration modes we observed. If the malware or Trojan matches one of E1, E2 and E3, we can think that it belongs to the network architecture of NSO spyware. After that, we use Athena to classify these fingerprints into 36 different patterns. We think each pattern corresponds to an attack organization of Pegasus software. In order to avoid other unnecessary security factors, we will not disclose these specific fingerprint and identification technologies.

Pegasus reborn

In our disclosure report in August 2016, NSO apparently informed the relevant clients, and we can see from the following flow scanning detection chart that it seems to have caused about half an hour of interruption to their operation:

Before our release of the Millennium dollar dispersion report for Pegasus version 2 on August 24, 2016, 12 back-end servers were offline without any reason, and were not re launched until September 25, 2016, and then continued until August 10, 2017. After that, we found the first Pegasus version 3 server in the whole network scan on September 5, 2017, nearly a month after we released the report of Millennium dollar dispersion. At this time, there are seven different network attack organizations in the whole network, and after a month, they have increased to 14 different network attack organizations.

Attack organization classification based on DNS cache detection analysis

We used Athena, a self-developed tool, to classify the IP addresses and domain names related to Pegasus activities. Finally, we divided 36 different attack organizations, each of which used multiple groups of IP addresses. According to the active area of each attack organization, we name each attack organization according to the national characteristics and geographical characteristics. In view of the IP address information used by various attack organizations, we extract the corresponding domain names from the TLS certificates used by them, code and analyze these domain names, find out the suspicious focus countries, and evaluate the political themes and motives involved. After that, we generated a list of Pegasus infected countries that may be related to the attack organization through DNS cache detection.

Invasion and attack organizations targeting the Americas

After verification, we found five to six invasion and attack organizations targeting the Americas. One of the attack organizations named macaw is mainly targeted at Honduras and its neighboring countries. Its two domain names, politica504 [.] com and eltiempo news [.] com, are related to Honduras.

In June 2017, we disclosed the Pegasus activities against Mexico in the report "recless exploit". Among them, there are four domain names used by attack organizations that are obviously related to Mexico, which are recless-1, recless-2, priclypear and aguilareal. Reckless-1 and reckless-2 use domain names that contain political themes, such as universopolitico [.] net, animal politico [.] com, noticiapoliticos [.] com, and politicoportales [.] org. After we released the report, reckless-1 and reckless-2 quickly offline their servers, and priclypear and aguilareal offline several of them. A month later, the maybereckless attack group, which registered a new domain name, appeared. It may be the evolution organization of reckless-1 and reckless-2. In September 2017, priclypear and aguilareal added some new online servers.

Element attributes in the following list: operator name (attack organization), dates operator was active (active time period), anticipated country focus (country of focus), political themes (whether related to political themes), anticipated influences (other suspected countries of attack infection)

Invasion and attack organizations targeting Africa

We found five intrusion attack organizations targeting the African region. One of them, RedLion, used a front-end domain name website almost all in French, with the domain names of policies infos [.] info and Nouveau President [.] com. Another attack group named AK47 suddenly disappeared in July 2017, while atlas, grandlacs and grandlacs, which are still active, also use domain names related to political themes, such as revolution news [.] CO and political press [.] org.

Invasion and attack organizations targeting Europe

We found five intrusion attack organizations targeting Europe. The front-end domain names used by the attack organizations named Turul and chequy are related to Hungary and Croatia. However, we haven't found any matching clues of DNS cache detection related to these attack organizations yet. At present, the intrusion attack activities of these organizations are still active.

Invasion and attack organizations targeting the Middle East

We found 12 invasion and attack organizations targeting the Middle East, of which pearl mainly targeted Bahrain, Kingdom attacked Amnesty International and Saudi Arabian staff, pearl and Falcon used some domain names related to political themes, such as Shia voice [.] com, 14 tracking [.] com and nomorewarnow [.] com.

Invasion and attack organizations targeting Asia

We found five intrusion attack organizations targeting the Asian region. One of them, Ganges, used the domain name signpetion [.] Co, which is related to the political theme. In addition, we did not perform DNS cache detection and recognition for mainland China, so the results here do not contain any Pegasus clues related to China.


Through the report, we have determined that Pegasus has suspicious activity clues in 45 countries, and these intrusion attacks may be carried out by attack organizations related to 33 different NSO customers. By extracting the C2 server domain names used by these attack organizations, we carried out DNS cache detection, carried out in-depth analysis and identification and fingerprint matching, and finally classified each attack organization. Pegasus's global campaign leads to the following concerns:

Some known spyware abuses continue to use Pegasus

There are extensive cross-border network intrusion monitoring activities with Pegasus

NSO's indifference to personal privacy and human rights protection will lead to more global network security problems

*Reference source: citizenlab, compiled by clouds, reprinted from freebuf.com