In recent days, there has been a lot of discussion about the threat posed by spy software following the shocking revelations about the abuse of the Pegasus spyware. But what sets Pegasus apart from other spy software? Are there others with the same characteristics? Are there software with similar functionality that can be found online by malicious people? These are just some of the questions that have been asked to me by onlookers and journalists in recent days, for this reason I believe that the answers can help us understand how much we are really exposed to these threats.
Pegasus is an extremely complex spy software developed by the Israeli company NSO group. Like other spyware, it turns the victim’s device into an extremely powerful spying tool, all without the victim having to interact with the attacker. The latter feature is the result of the use of zero-click exploits, codes capable of exploiting flaws without the victim taking any action, such as clicking on a link in a received message or visiting a compromised website. Software such as Pegasus exploit numerous zero-days, or leaks not known at the time of the attack, to maximize the effectiveness of the attack. Zero-day and zero-click exploits are expensive ingredients for those who develop spy software, need complex and costly research for zero-day vulnerabilities, or purchase them in underground hacking.
In Italy there are several companies that develop spy software, many of them unfortunately do not have access to resources and spending power that can make their products competitive with Pegasus. The revenues of these companies from the sale of their services to our prosecutors are often not sufficient to guarantee products of comparable quality to that of NSO products. Finding Italian spyware with zero-click capabilities, especially for the latest generation of iPhone devices, is anything but simple.
What is the alternative? Turn to foreign companies, with obvious exposure of the investigation system in which they are used.
NSO group is not the only surveillance company able to provide such sophisticated systems, in the past few weeks another Israeli surveillance company by the name has appeared out of nowhere. Candiru (also known as Sourgum) producer of a spy software that would be used to spy on at least 100 activists, journalists and dissidents in at least 10 states. Also in this case, the spy software could count on the availability of zero-day exploits for the silent infection of the victims’ systems. The discovery of Candiru is proof of how prolific the growing and billionaire surveillance market is, an international business governed by weak rules that can be fooled in the name of profit.
Can we defend ourselves against software like Candiru and Pegasus?
The answer is no, common defense systems are unable to reveal the presence of this software, only a thorough forensic investigation could determine the compromise of a device. Surveillance, however, is not the prerogative of large companies, many cheap software can allow you to spy on a person with an extremely modest investment. In the past few weeks, Check Point Research (CPR) experts have found a new variant of the XLoader spyware, which has been updated to infect both Windows and macOS PCs. XLoader is a very inexpensive spyware based on the popular Windows Formbook malware. XLoader first appeared in February when it was put up for sale in some forums used by cyber criminals.
The software is evidently not as sophisticated as the Israeli spy software mentioned and requires an iteration by the victims to initiate the infection process. The vector of attack is represented by phishing messages that use Microsoft Office documents as attachments and designed to start the infection process once the macros they contain have been opened and enabled. XLoader is offered to customers according to a Malware-as-a-Service model, the seller therefore offers it for rent for fixed periods of time at a moderate price, as evident from the table below.
|
Package |
Price |
|
Windows, executable, 1 month |
$ 59 |
|
Windows, executable, 3 months |
$129 |
|
macOS, Mach-O, 1 month |
$49 |
|
macOS, Mach-O, 3 months |
$ 99 |
With only 129 dollars it is possible to put a Windows system under control for 3 months, while for macOS systems 99 dollars are enough. To understand how widespread this type of threat is, just think that between December 1, 2020 and June 1, 2021, CheckPoint researchers observed Formbook / XLoader requests from as many as 69 countries.
I mentioned XLoader just as an example, there are numerous software with similar functionality that are offered in the real dark web forums for figures ranging from one hundred dollars up to over 2500 dollars for products that include source code and a dedicated support service from part of the authors of the spyware.
The large availability of this specific category of malware proves, where ever it is needed, that the relative demand is high. However, what is most worrying is the increasing level of complexity of these software which are offered at a very low price, many of them are able to evade most of the current anti-malware systems and are constantly updated by their authors.
.