38 Matching Annotations
  1. May 2023
  2. Jul 2021
    1. most Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs.

      Masquerade as Legitimate Application https://attack.mitre.org/techniques/T1444/

    2. Pegasus has deleted the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table.
    3. Initially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk
    4. multiple successful zero-click infections in May and June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the following minutes at least 20 iMessage attachment chunks are created on disk.

      adding email to contact list to trigger user-discovery routine as a trigger for the infection.

    5. While we have not been able to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications immediately preceding the execution of Pegasus processes

      malware pushed using a legitimate app's push message. first of its kind of attack.

    6. The same CloudFront website was contacted by com.apple.coretelephony and the additional processes executed, downloaded and launched additional malicious components
    7. Amnesty International believes this to be the payload launched as gatekeeperd

      Masquerade as Legitimate Application https://attack.mitre.org/techniques/T1444/

    8. HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack
    9. Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).
    10. if Apple Music was itself exploited to deliver the initial infection or if instead, the app was abused as part of a sandbox escape and privilege escalation chain
    11. In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator
    12. In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups
    13. iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.
    14. However, while it is only effective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed

      possibly the malware synced in through rogue icloud accounts which were surreptitiously added to the target device, or through a trigger based on iMessage sync for a canary email address.

    15. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators

      leverage with mobile operators can be used for redirection attacks. if mobile no is equal to this, when the user requests this url, redirect him to this url

    16. he discovery of network injection attacks in Morocco signalled that the attackers’ tactics were indeed changing
    17. iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International
    18. apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device
    19. OS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus.
    20. crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the device

      Install Insecure or Malicious Configuration https://attack.mitre.org/techniques/T1478/

    21. A process named pcsd and one named fmld appeared in 2018
    22. Amnesty International believes the roleaboutd and msgacntd processes are a later stage of the Pegasus spyware which was loaded after a successful exploitation and privilege escalation with the BridgeHead payload.
    23. com.apple.softwareupdateservicesd.plist file was modified

      Install Insecure or Malicious Configuration https://attack.mitre.org/techniques/T1478/

    24. vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.
    25. The domain baramije[.]net was registered one day before urlpush[.]net, and a decoy website was set up using the open source Textpattern CMS

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

      Pegasus-ToDo

      Secops101

    26. his phone was redirected to an exploitation page at gnyjv1xltx.info8fvhgl3.urlpush[.]net passing through the domain baramije[.]net.

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

    27. visited the website of French newspaper Le Parisien, and a network injection redirected him through the staging domain tahmilmilafate[.]com and then eventually to free247downloads[.]com as well. We also saw tahmilmilafate[.]info used in the same way

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

    28. http://yahoo.fr, and a network injection forcefully redirected the browser to documentpro[.]org before further redirecting to free247downloads[.]com and proceed with the exploitation.

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

    29. additional staging domains are used as trampolines eventually leading to the infection servers
    30. When previewing a link shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView,

      [Closest match on the db] Drive-by Compromise https://attack.mitre.org/techniques/T1456/

    31. well as potentially intentionally purged by malware
    32. network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

    33. 4th level subdomain, a non-standard high port number, and a random URI similar to links contained in SMS messages previously documented

      Domain Generation Algorithms https://attack.mitre.org/techniques/T1520/

    34. suspicious redirects recorded in Safari’s browsing history

      Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/

    35. SMS messages with Pegasus exploit

      MITRE Mobile ATT&CK Void

    36. These also include so-called “zero-click” attacks which do not require any interaction from the target.

      MITRE Mobile ATT&CK Void