Smith observed that one worker alone might make 20 pins in a day, but that a small business of 10 workers (some of whom would need to do two or three of the 18 tasks involved with pin-making), could make 48,000 pins in a day. How can a group of workers, each specializing in certain tasks, produce so much more than the same number of workers who try to produce the entire good or service by themselves? Smith offered three reasons.

Frequently this website was running a random and sometimes obscure PHP application or CMS

NSO Group rapidly shutdown many of their Version 3 servers shortly after the Amnesty International and Citizen Lab’s publications on 1 August 2018.

The fingerprint technique is conceptually similar to the JA3S fingerprint technique published by Salesforce in 2019

Amnesty International presented an excerpt of more than 600 domain names tied to NSO Group’s attack infrastructure

most Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs.

Pegasus is no longer maintaining persistence on iOS devices

System log files also reveal the location of Pegasus binaries on disk. These file names match those we have consistently observed in the process execution logs presented earlier. The binaries are located inside the folder /private/var/db/com.apple.xpc.roleaccountd.staging/ which is consistent with the findings by Citizen Lab in a December 2020 report.

Pegasus has deleted the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table.

manipulation becomes evident when verifying the consistency of leftover records in the DataUsage.sqlite and netusage.sqlite SQLite databases.

manipulate system databases and records on infected devices to hide its traces and and impede the research efforts of Amnesty International and other investigators

These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS. 

Initially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk

multiple successful zero-click infections in May and June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the following minutes at least 20 iMessage attachment chunks are created on disk.

While we have not been able to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications immediately preceding the execution of Pegasus processes

iMessage look-up for the account linakeller2203[@]gmail.com on June 11th 2021 and malicious processes afterwards

a random identifier tied to the attack attempt followed by the word "stadium".

Both the free247downloads[.]com and opposedarrangements[.]net domains matched our Pegasus V4 domain fingerprint.

4th level domain structure and non-standard high port number as the 2019

Although versions 14.4.1 and 14.4.2 were already available then, they only addressed vulnerabilities in WebKit, so it is safe to assume the vulnerability leveraged in these iMessage attacks was exploited as a 0-day.

The same CloudFront website was contacted by com.apple.coretelephony and the additional processes executed, downloaded and launched additional malicious components

the same iMessage account observed in the previous separate case was involved in this exploitation and compromise months later

Amnesty International believes this to be the payload launched as gatekeeperd

downloaded binary in the fsCachedData sub-folder, but it was unfortunately encrypted

The Cache.db file for com.apple.coretelephony contains details about the HTTP response which appeared to have been a download of ~250kb of binary data

a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months

We found traces of this HTTP request in a cache file stored on disk at /private/var/wireless/Library/Caches/com.apple.coretelephony/Cache.db containing metadata on the request and the response.

HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack

Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).

This domain matched a distinctive fingerprint we devised while conducting Internet-wide scans following our discovery of the network injection attacks in Morocco

HTTP request performed by the Apple Music app points to the domain opposedarrangement[.]net

built-in apps such as the iTunes Store app can be abused to run a browser exploit while escaping the restrictive Safari application sandbox.

if Apple Music was itself exploited to deliver the initial infection or if instead, the app was abused as part of a sandbox escape and privilege escalation chain

It is interesting to note that in the traces Amnesty International recovered from 2019, the iMessage lookups that immediately preceded the execution of suspicious processes often contained two-bytes 0x00 padding in the email address recorded by the ID Status Cache file

In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator

In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups

iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.

However, while it is only effective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed

Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators

he discovery of network injection attacks in Morocco signalled that the attackers’ tactics were indeed changing

iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International

Amnesty International found the same iCloud account bogaardlisa803[@]gmail.com recorded as linked to the “com.apple.private.alloy.photostream” service on both devices

apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device

OS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus.

crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the device

A process named pcsd and one named fmld appeared in 2018

Amnesty International believes the roleaboutd and msgacntd processes are a later stage of the Pegasus spyware which was loaded after a successful exploitation and privilege escalation with the BridgeHead payload.

com.apple.softwareupdateservicesd.plist file was modified

_kBridgeHeadConfigurationFilePath in the libaudio.dylib file part of the Pegasus bundle

configuration file located at /var/tmp/jb_cfg

vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.

network usage databases contained records of a suspicious process called “bh”. This “bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains.

iOS maintains records of process executions and their respective network usage in two SQLite database files called “DataUsage.sqlite” and “netusage.sqlite” which are stored on the device. It is worth noting that while the former is available in iTunes backup, the latter is not. Additionally, it should be noted that only processes that performed network activity will appear in these databases.

primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks

The domain baramije[.]net was registered one day before urlpush[.]net, and a decoy website was set up using the open source Textpattern CMS

his phone was redirected to an exploitation page at gnyjv1xltx.info8fvhgl3.urlpush[.]net passing through the domain baramije[.]net.

visited the website of French newspaper Le Parisien, and a network injection redirected him through the staging domain tahmilmilafate[.]com and then eventually to free247downloads[.]com as well. We also saw tahmilmilafate[.]info used in the same way

http://yahoo.fr, and a network injection forcefully redirected the browser to documentpro[.]org before further redirecting to free247downloads[.]com and proceed with the exploitation.

additional staging domains are used as trampolines eventually leading to the infection servers

Session Resource logs

Safari does not record full redirect chains, and might only keep history records showing the final page that was loaded

Safari’s Session Resource logs provide additional traces that do not consistently appear in Safari’s browsing history

app-specific WebKit local storage, IndexedDB folders,

When previewing a link shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView,

these redirects do not only happen when the target is navigating the Internet with the browser app, but also when using other apps

For example, we could identify visits through Safari’s Favicon.db database, which was left intact by Pegasus

well as potentially intentionally purged by malware

network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator

4th level subdomain, a non-standard high port number, and a random URI similar to links contained in SMS messages previously documented

suspicious redirects recorded in Safari’s browsing history

SMS messages with Pegasus exploit

These also include so-called “zero-click” attacks which do not require any interaction from the target.

Highlights can be created by clicking the button. Try it on this sentence.