Version BAD NETWORK/FIREWALL
lecture: Pegasus internals
Technical Teardown of the Pegasus malware and Trident exploit chain
This talk will take an in-depth look at the technical capabilities and vulnerabilities used by Pegasus. We will focus on Pegasus’s features and the exploit chain Pegasus used called Trident. Attendees will learn about Pegasus’s use of 0-days, obfuscation, encryption, function hooking, and its ability to go unnoticed. We will present our detailed technical analysis that covers each payload stage of Pegasus including its exploit chain and the various 0-day vulnerabilities that the toolkit was using to jailbreak a device. After this talk attendees will have learned all of the technical details about Pegasus and Trident and how the vulnerabilities we found were patched.
Introduction to the talk and the background of the speaker
2. Technical Analysis
In the technical analysis section we will cover in-depth the three stages of this attack including the exploits and the payloads used at each stage. We will detail the obfuscation and encryption techniques the developers used to hide the payloads. We will also examine the 0-day vulnerabilities, called Trident, that we found, which allow for a remote jailbreak on the latest versions of iOS (up to 9.3.4) via Safari.
* 0-days (responsibly disclosed to Apple)
* Malware techniques
* Obfuscation and encryption techniques
The technical analysis will continue and detail the software that gets installed including what it was designed to collect, which includes texts, emails, chats, calendars, and voice calls from apps including Viber, WhatsApp, Skype, SMS, iMessage, Facebook, WeChat, Viber, WhatsApp, Telegram, Vkontakte, Odnoklassniki, Line, Mail.Ru Agent, Tango, Pegasus, Kakao Talk, and more.
* Application Hooking
* Use of SIP for exfiltration
* Historical Analysis of jailbreaks
We will detail how the jailbreak techniques used by this software have changed and adapted to the changing security mechanisms added to iOS over the years.
4. Summary and conclusions