ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
Last update: 2021-10-24HackingTeam RCS (Da Vinci + Galileo)
(Italian)
DevilsTongue / Sourgum
(Candiru, Israeli)
Pegasus
(NSO Group, Israeli)
SWR
(Russian)
Panzer, Bundestrojaner
(Swiss / German)
DriveBadger / Funkcjonariusz
(Polish)
2
3
AVAILABILITYCOMMERCIAL / NO LONGER ACTIVE,
released as open source
COMMERCIALCOMMERCIALSTATESTATE,
partially open source
OPEN SOURCE
4
5
YEARS OF ACTIVITY2003-20152014-current2010-current?2006-2011+2017-current
6
7
DECLARED ADVERSARIES- criminal individuals
- terrorist individuals/organizations
- individuals within scope of interest of individual clients (mostly criminals or dishonest employees)
- organizations (companies) knowingly breaching the law
8
9
HOW OPERATORS USE THE SYSTEM- Adobe Flex panel for operators
- all actions are logged
- operators are fully responsible for any abuse attempts
- quite easy to abuse having proper knowledge (operators got access to application source code, settings and certificate)
- web panel for operators
- all actions are logged
- operators are fully responsible for any abuse attempts
- web panel for operators
- all actions are logged
- operators are fully responsible for any abuse attempts
??- raw Linux access (either to running instance via ssh, or to attached external drive to other computer)
- some information about copied drives is stored in syslog, but easy to disable od delete
- general rule: operator is god
- basic Linux knowledge required
10
11
12
13
SUPPORTED PLATFORMS AND CAPABILITIES
14
15
WINDOWS (PC)
16
1. Supported versions- XP SP3
- 2003
- Vista
- 7
- 8 (not sure about 8.1)
- 7
- 10 (documentation states that only 64-bit)
- not sure about Windows 8 / 8.1
- not sure about Windows Server
n/a- 7
- 8.1 (not sure about 8)
- 10
- Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
- XP (rootkit)
- Vista
- from XP SP2 to 11
- Server 2003-2016
- Embedded Standard 7 and 2009
17
2. Software-only installation method(s)dedicated RCS agent, separate for 32 and 64-bit OS:

1. remote installation using integrated exploit, after getting access/privileges manually
2. local installation, OS-level (CD/USB/Firewire DMA), needs privileges (like any other software)
3. local injection to hard drive connected to another computer
4. local injection using deep freeze mode (has some additional requirements, but possible)
remote installation using
- CVE-2021-31979 and CVE-2021-33771 (attack on Windows)
- RCE for Chrome, Firefox or Internet Explorer
- RCE on Microsoft Office 2013-2019
n/aremote installation using CVE-2021-21166 and CVE-2021-30551 (Chrome), CVE-2021-33742 (Internet Explorer) - attack is performed on the browser, not full OSlocal installation, separately for:

1. Internet Explorer, Firefox and basic system info

2. Skype (several different implementations, for various Skype versions)
1. local data exfiltration, via USB, support for Bitlocker / LUKS / VeraCrypt drive encryption

2. local injection of 3rd party exploits (possibly remotely exploitable), straight from USB, without disconnecting the hard drive
18
3. Additional hardware implantsinjecting hardware implant working below OS, used as an option - exploitation similar to BashBunny but smarter and through remote paneln/an/a?n/an/a
19
4. Post-install remote functionalities- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
standard package - access to:
- Skype
- Outlook
- Telegram
- Facebook
- Gmail
- device ID
- browsing history
- geolocation
- raw files
- passwords
- keylogger
- webcam
- microphone recording
- screenshots

paid separately:
- remote shell (Windows-only)
- Twitter
- Viber
- Signal
- WeChat
- Odnoklassniki
- Vkontakte
- Mail.ru
n/auser's data available through browser, exfiltration is performed using WebSockets1. remote access to:
- basic computer/Windows information
- list of local users
- Firefox stored website passwords
- Internet Explorer stored website passwords, browsing history and favourites

2. remote stealing Skype data, various attempts:
- ptrace
- hooking various versions of skype.exe
- DirectSound
- rootkit for Windows XP

3. later versions (2009+) - full audio/video recording
Only exploitation of locally injected 3rd party exploit(s).
20
21
LINUX
22
Software-only installation and tracking method(s)Dedicated RCS agent:

1. Has a lot of direct dependencies to X11, probably runs only on Linux with graphical environment. Versions supported due to pricing scheme document: Ubuntu, Debian, Mint.
2. Each platform has separate set of exfiltration modules (written as separate codebases).
3. Declared features:

- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
n/an/adetails unknown, but possibly Chrome on Linux can be supportedn/a1. local data exfiltration, via USB, support for Bitlocker / LUKS / VeraCrypt drive encryption

2. local injection of 3rd party exploits (possibly remotely exploitable), straight from USB, without disconnecting the hard drive
23
24
MAC OS
25
Installation and tracking method(s)Dedicated 2 solutions: RCS agent + rootkit, and separate solution for local installation. Supported versions: from Snow Leopard to Yosemite.

Features:
- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
not sure - depending on each source, supported or notn/a?n/alocal data exfiltration only, via USB, support for APFS FileVault encryption, on T2-based models requires the device to already unlocked
26
27
MOBILE DEVICES
28
General outcome and other comment(s)in general, each mobile/desktop OS has completely different RCS implementation, with different abilitiesaccess to apps, especially Twitter, Viber, Signal, WeChat, Odnoklassniki, Vkontakte, Mail.ru - full remote shell is available only for Windows, for another 1.5M EURread user's mail/sms messages, capture screenshots, access photos, access contacts, read browser history, record calls, log pressed keys - remotely, in near-realtimeread user's data available through browser, exfiltrate using WebSocketsn/alocal data exfiltration only, once connected to Mobile Badger device - photos + most other in raw form, so it's a good idea to install and use apps like "export SMS to file" etc.
29
30
ANDROID
31
Installation and tracking method(s)supported, details unknownsupported, there is a closed list of supported Android versions (4-9 as for 2020); documentation suggests that they may have problems with Android forks eg. Xiaomi MIUI - they support Samsung Galaxy S phones (and probably tablets), and agreed list of models/vendors for additional feeremote:
- magic sms/push, non-persistent infection, requiring re-infecting after each reboot
- in non-root mode it can ask the user for permissions to access eg. photos, just like normal app

supported Android versions: from 2.1, mainly Samsung Galaxy and Sony Xperia devices
?n/alocal data exfiltration only, through MTP, PTP or Mass Storage (depending on Android version and security settings), requires already unlocked device
32
What information is available after installation- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
standard package - access to:
- photos & screenshots
- emails, sms
- browsing history
- contact details
- calendar records
- GPS location tracking
- basic/advanced device info
- call history
- list directories
- Google Drive
- Dropbox
- WhatsApp
- FB Messenger
- Skype
- Telegram
- network details
- network change notifications
- recording microphone and phone calls

paid separately:
- Twitter
- Viber
- Signal
- WeChat
- Odnoklassniki
- Vkontakte
- Mail.ru
- photos & screenshots
- emails, sms
- browsing history
- contact details
- calendar records
- converations from Skype, WhatsApp, Twitter, Facebook, Viber, KakaoTalk
- GPS location tracking
- device settings
- network details
- raw file retrieval
- recording microphone and phone calls (Android-only)
?n/a- photos & screenshots
- in MTP/MSC mode, everything that is remotely visible (access to raw files)
33
34
APPLE - iOS, iPadOS
35
Installation and tracking method(s)suported iOS versions: from 4.x to at least 8.1 (due to pricing scheme from 2014)remote installation using either attack on Safari, or whole iOS (details not revealed)remote, using:
- magic sms/push
- Trident exploit (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)
- Kismet exploit (2020)
- ForcedDentry (2021) previously known as Megalodon (2019)
- existing jailbreak
- emulation of clicking on important apps (eg. iMessage)

non-persistent infection, requiring re-infecting after each reboot; supported iOS versions: from 4.x (iPhone 4)
remote installation using CVE-2021-1879n/alocal data exfiltration only, through MTP, requires already unlocked device
36
What information is available after installation- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
standard package - access to:
- photos & screenshots
- emails, sms
- browsing history
- contact details
- calendar records
- GPS location tracking
- basic/advanced device info
- call history
- raw file retrieval
- Google Drive
- Dropbox
- WhatsApp
- FB Messenger
- Skype
- Telegram
- network details
- network change notifications

- recording microphone and phone calls (advertised but we doubt if really possible for this particular platform)

paid separately:
- Twitter
- Viber
- Signal
- WeChat
- Odnoklassniki
- Vkontakte
- Mail.ru
- photos & screenshots
- emails, sms
- browsing history
- contact details
- calendar records
- converations from Skype, WhatsApp, Twitter, Facebook, Viber, KakaoTalk
- GPS location tracking
- device settings
- network details
- raw file retrieval
?n/a everything that is remotely visible according to phone/tablet security settings (access to raw files)
37
38
WINDOWS MOBILE & PHONE
39
Installation and tracking - Windows Mobile 5/6dedicated RCS agent WM 5/6, the same that's later ported to WP8n/a??n/an/a
40
Installation and tracking - Windows Phone 7it seems that support for WP7 was skipped???n/an/a
41
Installation and tracking - Windows Phone 8 / 8.1Dedicated RCS agent in "Modern Native" architecture, only for WP 8.0 and 8.1.

Features:
- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
???n/alocal data exfiltration only, through MTP, requires already unlocked device
42
Installation and tracking - Windows 10 Mobilen/a???n/alocal data exfiltration only, through MTP, requires already unlocked device
43
44
OTHER MOBILE DEVICES
45
Installation and tracking - Symbiandedicated RCS agent; access to phone calls, microphone, SMS-es, calendar, address book, serials and configuration data, and raw filesystem?supported Symbian versions: from 9.2?n/asupported Symbian versions: from 9.3, PTP-only, defective, local data exfiltration only, requires already unlocked device
46
Installation and tracking - BlackBerry (all versions)dedicated RCS agent for J2ME (classic BB), partial support from 4.5, full from 5.0, installation requires a special C++ component that most probably has to be installed locally.

Features:
- Skype call and chat
- Facebook chat and check-ins
- Gmail and Outlook.com
- Crypto currency transactions (e.g., BitCoins, LiteCoin, etc)
- File capture
- Camera snapshots
- Key logging
?BlackBerry supported versions: from 5.0 to 7.1 (Curve, Bold, Torch, Pearl), documentation didn't contain newer BlackBerry OS?n/aQNX only, local data exfiltration only, through MTP, requires already unlocked device
47
48
COSTS
(average, synthetized from many sources)
49
Annual cost per tracked user license (for first 10 users)€ 5,0000$65 000??free
50
Annual cost per tracked user license (above first 10 users, up to next limit)€ 4,000€ 100,000$10 000??free
51
Annual cost per operator€ 5000 * 10 included3 included + € 20 000 for each another???free
52
One time entry cost - excluding trainings€ 530000 + € 240000 + € 230000€ 16,850,000€ 3,500,000??only hardware cost
53
Trainings€ 55,000?€ 750,000??depends on training company, all documentation freely available
54
55
56
OTHER NOTES
57
C&C infrastructureGalileo RCS Anonymizer component (in fact, a modified "bbproxy" with added SSL support) was responsible for safeguarding the traffic.

3 licenses were included, each another costed € 50 000, anonymizers could be replaced for free within the license limit.
?Pegasus Anonymizing Transmission Network, up to 500 domains, DNS servers and others, to hide easy detection of traffic; on most platforms ability to self-destruct after 60 days of no connection, or after detecting non-target SIM carddetails unknown, probably all C&C infrastructure built separately per targetdata exfiltration through SMTP with encrypted attachments, using pre-configured server name (without smtp-auth or TLS)No remote infrastructure is required, unless Drive Badger is weaponized using 3rd party exploit(s). As for local infrastructure:
1. https://github.com/drivebadger/drivebadger/wiki/Recommended-hardware
2. https://github.com/drivebadger/mobilebadger/wiki/Recommended-hardware
58
Indicators of Compromisefull code available on Github, several fragments of compiled code and particular techniques are very well detected by antivirus/security software (which makes them unusable for real attack)https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso

https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/

https://sekurak.pl/czym-jest-oprogramowanie-szpiegowskie-pegasus-analiza-zagrozenia-oraz-metody-jego-wykrywania/
59
More photoshttps://sekurak.pl/devilstongue-czyli-lepszy-pegasus-od-izraelskiej-firmy-candiru/#comment-96837https://niebezpiecznik.pl/post/jak-wyglada-rzadowy-trojan-pegasus-od-srodka/https://drivebadger.com/history.html
60
Other materialshttps://github.com/hackedteam/core-linux/tree/master/contribhttps://www.themarker.com/embeds/pdf_upload/2020/20200902-161742.pdfhttps://wiadomosci.radiozet.pl/Polska/Polityka/Pegasus-w-Polsce.-CBA-kupilo-potezne-oprogramowanie-szpiegowskie

https://s3.documentcloud.org/documents/4599753/NSO-Pegasus.pdf
https://en.wikipedia.org/wiki/MiniPanzer_and_MegaPanzerhttps://drivebadger.com/
61
Source code linkhttps://github.com/hackedteam/-https://github.com/jonathandata1/pegasus_spyware-https://sourceforge.net/projects/mega-panzer/

https://sourceforge.net/projects/mini-panz
er/
https://github.com/drivebadger/
62
Source code statusstolen, released half-officially on Githubclosed sourcedecompiled samples, mainly from Android agentsstatus unknownearly versions of client parts stolen, released half-officially on SFopen source
63
64
65
66
The above comparison was assembled by Tomasz Klim, https://github.com/tomaszklim/ - if you find it useful, consider donating my work: https://github.com/sponsors/tomaszklim
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100