- Jul 2021
-
www.amnesty.org www.amnesty.org
-
most Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs.
Masquerade as Legitimate Application https://attack.mitre.org/techniques/T1444/
-
Pegasus has deleted the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table.
Delete Device Data https://attack.mitre.org/techniques/T1447/
-
The same CloudFront website was contacted by com.apple.coretelephony and the additional processes executed, downloaded and launched additional malicious components
Drive-by Compromise https://attack.mitre.org/techniques/T1456/
-
Amnesty International believes this to be the payload launched as gatekeeperd
Masquerade as Legitimate Application https://attack.mitre.org/techniques/T1444/
-
crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the device
Install Insecure or Malicious Configuration https://attack.mitre.org/techniques/T1478/
-
A process named pcsd and one named fmld appeared in 2018
Code Injection https://attack.mitre.org/techniques/T1540/
-
Amnesty International believes the roleaboutd and msgacntd processes are a later stage of the Pegasus spyware which was loaded after a successful exploitation and privilege escalation with the BridgeHead payload.
Code Injection https://attack.mitre.org/techniques/T1540/
-
com.apple.softwareupdateservicesd.plist file was modified
Install Insecure or Malicious Configuration https://attack.mitre.org/techniques/T1478/
-
The domain baramije[.]net was registered one day before urlpush[.]net, and a decoy website was set up using the open source Textpattern CMS
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
Pegasus-ToDo
Secops101
-
his phone was redirected to an exploitation page at gnyjv1xltx.info8fvhgl3.urlpush[.]net passing through the domain baramije[.]net.
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
-
visited the website of French newspaper Le Parisien, and a network injection redirected him through the staging domain tahmilmilafate[.]com and then eventually to free247downloads[.]com as well. We also saw tahmilmilafate[.]info used in the same way
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
-
http://yahoo.fr, and a network injection forcefully redirected the browser to documentpro[.]org before further redirecting to free247downloads[.]com and proceed with the exploitation.
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
-
well as potentially intentionally purged by malware
Delete Device Data https://attack.mitre.org/techniques/T1447/
-
network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
-
4th level subdomain, a non-standard high port number, and a random URI similar to links contained in SMS messages previously documented
Domain Generation Algorithms https://attack.mitre.org/techniques/T1520/
-
suspicious redirects recorded in Safari’s browsing history
Network Traffic Capture or Redirection https://attack.mitre.org/techniques/T1410/
-