most Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs.

Pegasus has deleted the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table.

Initially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk

multiple successful zero-click infections in May and June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the following minutes at least 20 iMessage attachment chunks are created on disk.

While we have not been able to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications immediately preceding the execution of Pegasus processes

The same CloudFront website was contacted by com.apple.coretelephony and the additional processes executed, downloaded and launched additional malicious components

Amnesty International believes this to be the payload launched as gatekeeperd

HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack

Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).

if Apple Music was itself exploited to deliver the initial infection or if instead, the app was abused as part of a sandbox escape and privilege escalation chain

In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator

In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups

iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.

However, while it is only effective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed

Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators

he discovery of network injection attacks in Morocco signalled that the attackers’ tactics were indeed changing

iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International

apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device

OS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus.

crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the device

A process named pcsd and one named fmld appeared in 2018

Amnesty International believes the roleaboutd and msgacntd processes are a later stage of the Pegasus spyware which was loaded after a successful exploitation and privilege escalation with the BridgeHead payload.

com.apple.softwareupdateservicesd.plist file was modified

vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.

The domain baramije[.]net was registered one day before urlpush[.]net, and a decoy website was set up using the open source Textpattern CMS

his phone was redirected to an exploitation page at gnyjv1xltx.info8fvhgl3.urlpush[.]net passing through the domain baramije[.]net.

visited the website of French newspaper Le Parisien, and a network injection redirected him through the staging domain tahmilmilafate[.]com and then eventually to free247downloads[.]com as well. We also saw tahmilmilafate[.]info used in the same way

http://yahoo.fr, and a network injection forcefully redirected the browser to documentpro[.]org before further redirecting to free247downloads[.]com and proceed with the exploitation.

additional staging domains are used as trampolines eventually leading to the infection servers

When previewing a link shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView,

well as potentially intentionally purged by malware

network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator

4th level subdomain, a non-standard high port number, and a random URI similar to links contained in SMS messages previously documented

suspicious redirects recorded in Safari’s browsing history

SMS messages with Pegasus exploit

These also include so-called “zero-click” attacks which do not require any interaction from the target.