Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Stealth Update to Command & Control Infrastructure<br />
The s<strong>of</strong>tware has multiple stealth communication channels. The systemd binary that <strong>Pegasus</strong> employs appears to use SMS<br />
messaging as a communication channel. This functionality has been carefully implemented with instructions delivered via<br />
SMS masquerading as two-factor authentication messages from popular services such as Facebook, Google, and Evernote.<br />
These instructions mirror the structure and expected content <strong>of</strong> legitimate two-factor authentication messages identically.<br />
An example <strong>of</strong> an attacker-provided instruction via SMS (captured originally by Citizen Lab) can be seen below.<br />
Despite appearing as a legitimate password reset from Google, this message actually contains an instruction for <strong>Pegasus</strong><br />
to update the command and control servers that it can communicate to. It appears <strong>Pegasus</strong> is capable <strong>of</strong> receiving five<br />
types <strong>of</strong> instructions via SMS, with the instruction ID determined based on the last number <strong>of</strong> the verification code. For<br />
example, in the message above this is 9.<br />
This functionality appears to allow <strong>Pegasus</strong> to be updated out <strong>of</strong> band if http or https was not available. In the event C2<br />
infrastructure was taken down or unavailable, this functionality provides <strong>Pegasus</strong> with a lifeline to the actors controlling it<br />
with instructions on where to find the new C2 servers. This functionality is unprecedented in spyware and provides the<br />
ability for <strong>Pegasus</strong> to persist even when infrastructure is compromised or taken down.<br />
TECHNICAL ANALYSIS OF PEGASUS SPYWARE | 17