Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain

Presented at 33C3 (2016), Dec. 27, 2016, 5:30 p.m. (30 minutes)

This talk will take an in-depth look at the technical capabilities and vulnerabilities used by Pegasus. We will focus on Pegasus’s features and the exploit chain Pegasus used called Trident. Attendees will learn about Pegasus’s use of 0-days, obfuscation, encryption, function hooking, and its ability to go unnoticed. We will present our detailed technical analysis that covers each payload stage of Pegasus including its exploit chain and the various 0-day vulnerabilities that the toolkit was using to jailbreak a device. After this talk attendees will have learned all of the technical details about Pegasus and Trident and how the vulnerabilities we found were patched. Presentation Outline: 1. Introduction Introduction to the talk and the background of the speaker 2. Technical Analysis In the technical analysis section we will cover in-depth the three stages of this attack including the exploits and the payloads used at each stage. We will detail the obfuscation and encryption techniques the developers used to hide the payloads. We will also examine the 0-day vulnerabilities, called Trident, that we found, which allow for a remote jailbreak on the latest versions of iOS (up to 9.3.4) via Safari. * 0-days (responsibly disclosed to Apple) * Malware techniques * Obfuscation and encryption techniques The technical analysis will continue and detail the software that gets installed including what it was designed to collect, which includes texts, emails, chats, calendars, and voice calls from apps including Viber, WhatsApp, Skype, SMS, iMessage, Facebook, WeChat, Viber, WhatsApp, Telegram, Vkontakte, Odnoklassniki, Line, Mail.Ru Agent, Tango, Pegasus, Kakao Talk, and more. * Application Hooking * Use of SIP for exfiltration * Historical Analysis of jailbreaks We will detail how the jailbreak techniques used by this software have changed and adapted to the changing security mechanisms added to iOS over the years. 4. Summary and conclusions

Presenters:

• Max Bazaliy
  Max Bazaliy is a security researcher at Lookout. He has 10 years of experience in the security research space. Max has experience in code obfuscation, exploit development and security research. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebox Security. Currently he is focused on mobile security research, XNU exploitation. Max holds a Master's degree in Computer Science and working on his PhD dissertation. Max is a Staff Security Researcher at Lookout who has more than ten years experience in areas as mobile security, security protocols design and analysis, mobile security research, tools and techniques development for vulnerability assessment and post-exploitation, reverse engineering mobile\desktop platforms and penetration testing. Prior to joining Lookout Max was working on code obfuscation and software protection solutions, as well as penetration testing of commercial software protection products. In the past few years, Max was a speaker on various security and engineering conferences, including Black Hat, Defcon, UIKonf, Mobile Optimized, Mobile Central Europe, Mobius and UAMobile. Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine “Kyiv Polytechnic Institute” where he’s working on dissertation in code obfuscation and privacy area.

Links:

• https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7901.html

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / In Walled Gardens be Careful of Poisoned Apples
• Black Hat Europe 2016 / Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
• 33C3 (2016) / Million Dollar Dissidents and the Rest of Us: Uncovering Nation-State Mobile Espionage in the Wild