Catalan politicians and activists targeted by Pegasus and Candiru spyware

Experts report that a new zero-day exploit in Apple iMessage used to install malware from the NSO group

Pegasus and Candiru malware spread exploiting the iOS exploit

The previously unknown flaw was used to install mercenary spyware against 65 individuals. Catalan jurists, legislators, and activists were targeted by Pegasus and Candiru malware.^[1] These targets include Pere Aragonès, president of the Catalan Government, European Parliament members, Catalan legislators, families of jurists, and activists.^[2] This cyber espionage^[3] campaign is a part of a multi-year clandestine operation, according to the official reports.

The particular Pegasus spyware was sent to 63 individuals out of 65. The other two received the Candiru malware. The iPhone infiltrations are said to happen between 2017 and 2020.^[4] The attack weaponized the iOS exploit dubbed HOMAGE, which made penetration of the devices easy.

iOS machines running the versions prior to iOS 13.2 released on October 18, 2019, were affected. The intrusion is not linked with a particular group or attributed to operations of specific threat actors. However, researchers state that there is strong evidence based on circumstances suggesting that these operations are related to Spanish authorities.

Attacks abused zero-click iMessage exploits and malicious SMS messages

This attack was using the WhatsApp vulnerability that is not patched. Also, attackers abused multiple zero-day flaws on iMessage and malicious messages to hack these Catalan targets and their iPhones to spread Pegasus malware over three year period.

The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.

The exploitable flaw has been fixed with version 13.2 of iOS. The attack has also been observed using the exploit chain named KISMET present in iOS 13.5.1.^[5]

Those devices that have been affected with Candiru spyware got the virus via an email-based social engineering attack. This campaign was designed to trick people into opening the legitimate-looking links about COVID-19 and messages posing as Mobile World Congress.

Malware designed to gain access to sensitive information

Pegasus spyware and Candiru malware are engineered to covertly gain extensive access to machines, so the sensitive information stored on mobile and desktop machines can be obtained, copied, and stolen. These programs are capable of reading texts, listening to calls, collecting passwords, and tracking locations.

These threats can also access the microphone of the device and even use the camera to harvest information this way. Malicious threats can help actors to monitor encrypted calls and chats, and maintain access to the targets. There are links to NSO Group due to the usage of Pegasus and Candiru malware that stems from the particular hacker team.

Pegasus is the spyware developed by the Israeli NSO group, but various countries have used the malware to spy on politicians, journalists, and activities beyond the EU. The overlaps in infrastructure and hacking operations also allow researchers to speculate that there are ties to the Spanish government because of the timing of these attacks and the patterns of victims.

If it is true, there are many questions regarding the proper oversight over the security agencies of the country. The Spanish government should come clean about this involvement. There is a serious need for proper investigations into this use of particular spyware since the targets were specifically related to government agencies.