Introduction
NSO Group claims that its Pegasus spy ware is just used to “investigate terrorism and crime” and “leaves no traces whatsoever”. This Forensic Methodology Report reveals that neither of those statements are true. This report accompanies the discharge of the Pegasus Project, a collaborative investigation that entails greater than 80 journalists from 17 media organizations in 10 nations coordinated by Forbidden Stories with technical assist of Amnesty International’s Security Lab.[1]
Amnesty International’s Security Lab has carried out in-depth forensic evaluation of quite a few cell gadgets from human rights defenders (HRDs) and journalists world wide. This analysis has uncovered widespread, persistent and ongoing illegal surveillance and human rights abuses perpetrated utilizing NSO Group’s Pegasus spy ware.
As specified by the UN Guiding Principles on Business and Human Rights, NSO Group ought to urgently take pro-active steps to be sure that it doesn’t trigger or contribute to human rights abuses inside its international operations, and to reply to any human rights abuses once they do happen. In order to meet that duty, NSO Group should perform enough human rights due diligence and take steps to be sure that HRDs and journalists don’t proceed to turn out to be targets of illegal surveillance.
In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source cell forensics instrument and detailed technical indicators, so as to help info safety researchers and civil society with detecting and responding to these critical threats.
This report paperwork the forensic traces left on iOS and Android gadgets following focusing on with the Pegasus spy ware. This contains forensic information linking latest Pegasus infections again to the 2016 Pegasus payload used to goal the HRD Ahmed Mansoor.
The Pegasus assaults detailed on this report and accompanying appendices are from 2014 up to as lately as July 2021. These additionally embody so-called “zero-click” assaults which don’t require any interplay from the goal. Zero-click assaults have been noticed since May 2018 and proceed till now. Most lately, a profitable “zero-click” assault has been noticed exploiting a number of zero-days to assault a totally patched iPhone 12 working iOS 14.6 in July 2021.
Sections 1 to 8 of this report define the forensic traces left on cell gadgets following a Pegasus an infection. This proof has been collected from the telephones of HRDs and journalists in a number of nations.
Finally, in part 9 the report paperwork the evolution of the Pegasus community infrastructure since 2016. NSO Group has redesigned their assault infrastructure by using a number of layers of domains and servers. Repeated operational safety errors have allowed the Amnesty International Security Lab to keep continued visibility into this infrastructure. We are publishing a set of 700 Pegasus-related domains.
Names of a number of of the civil society targets within the report have been anonymized for security and safety causes. Individuals who’ve been anonymized have been assigned an alphanumeric code title on this report.
1. Discovering Pegasus community injection assaults
Amnesty International’s technical investigation into NSO Group’s Pegasus intensified following our discovery of the targeting of an Amnesty International staffer and a Saudi activist, Yahya Assiri, in 2018. Amnesty International’s Security Lab started refining its forensics methodology by the invention of attacks against HRDs in Morocco in 2019, which have been additional corroborated by attacks we discovered against a Moroccan journalist in 2020. In this primary part we element the method which led to the invention of those compromises.
Numerous public studies had recognized NSO Group’s clients utilizing SMS messages with Pegasus exploit domains through the years. As a end result, comparable messages emerged from our evaluation of the cellphone of Moroccan activist Maati Monjib, who was one of many activists focused as documented in Amnesty International’s 2019 report.
However, on additional evaluation we additionally observed suspicious redirects recorded in Safari’s looking historical past. For instance, in a single case we observed a redirect to an odd-looking URL after Maati Monjib tried to go to Yahoo:
|
Visit ID |
Date (UTC) |
URL |
Redirect Source |
Redirect Destination |
|
16119 |
2019-07-22 17:42:32.475 |
http://yahoo.fr/ |
null |
16120 |
|
16120 |
2019-07-22 17:42:32.478 |
https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz |
16119 |
null |
(Please be aware: all through this doc we escaped malicious domains with the marking [.] to stop unintended clicks and visits.)
The URL https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz instantly appeared suspicious, significantly due to the presence of a 4th stage subdomain, a non-standard excessive port quantity, and a random URI comparable to hyperlinks contained in SMS messages beforehand documented in connection to NSO Group’s Pegasus. As you may see within the desk above, the go to to Yahoo was instantly redirected to this suspicious URL with database ID 16120.
In our October 2019 report, we element how we decided these redirections to be the results of community injection assaults carried out both by tactical gadgets, akin to rogue cell towers, or by devoted gear positioned on the cell operator. When months later we analysed the iPhone of Moroccan impartial journalist Omar Radi, who as documented in our 2020 report was focused, we discovered comparable information involving the free247downloads[.]com area as nicely.
In November 2019, after Amnesty International’s preliminary report, a brand new area urlpush[.]web was registered. We discovered it subsequently concerned in comparable redirects to the URL https://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj.
Although Safari historical past information are sometimes brief lived and are misplaced after just a few months (in addition to doubtlessly deliberately purged by malware), we’ve got been in a position to nonetheless discover NSO Group’s an infection domains in different databases of Omar Radi’s cellphone that didn’t seem in Safari’s History. For instance, we might establish visits by Safari’s Favicon.db database, which was left intact by Pegasus:
|
Date (UTC) |
URL |
Icon URL |
|
2019-02-11 14:45:53 |
https://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP |
https://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/favicon.ico |
|
2019-09-13 17:01:38 |
https://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#011356570257117296834845704022338973133022433397236 |
https://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/favicon.ico |
|
2019-09-13 17:01:56 |
https://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#068099561614626278519925358638789161572427833645389 |
https://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/favicon.ico |
|
2020-01-17 11:06:32 |
https://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946percent2324 |
https://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/favicon.ico
|
|
2020-01-27 11:06:24 |
https://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946 |
https://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/favicon.ico |
As defined within the Technical Appendix of our 2020 report on Pegasus attacks in Morocco, these redirects don’t solely occur when the goal is navigating the Internet with the browser app, but in addition when utilizing different apps. For instance, in a single case Amnesty International recognized a community injection whereas Omar Radi was utilizing the Twitter app. When previewing a hyperlink shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView, and a redirect occurred.
Because of this, we will discover extra information involving the domains free247downloads[.]com and urlpush[.]web in app-specific WebPackage native storage, IndexedDB folders, and extra. In a number of instances IndexedDB information have been created by Safari shortly after the community injection redirect to the Pegasus Installation Server.
In addition, Safari’s Session Resource logs present extra traces that don’t constantly seem in Safari’s looking historical past. It seems Safari doesn’t document full redirect chains, and would possibly solely preserve historical past information displaying the ultimate web page that was loaded. Session Resource logs recovered from the analysed telephones exhibit that extra staging domains are used as trampolines ultimately main to the an infection servers. In truth, these logs reveal that the very first community injection towards Maati Monjib we describe in the beginning of this put up additionally concerned the area documentpro[.]org:
|
Redirect Source |
Origin |
Redirect Destination |
|
yahoo.fr |
documentpro[.]org |
free247downloads[.]com |
Maati Monjib visited http://yahoo.fr, and a community injection forcefully redirected the browser to documentpro[.]org earlier than additional redirecting to free247downloads[.]com and proceed with the exploitation.
Similarly, on a unique event Omar Radi visited the web site of French newspaper Le Parisien, and a community injection redirected him by the staging area tahmilmilafate[.]com after which ultimately to free247downloads[.]com as nicely. We additionally noticed tahmilmilafate[.]information utilized in the identical means:
|
Redirect Source |
Origin |
Redirect Destination |
|
leparisien.fr |
tahmilmilafate[.]com |
free247downloads[.]com |
In the latest makes an attempt Amnesty International noticed towards Omar Radi in January 2020, his cellphone was redirected to an exploitation web page at gnyjv1xltx.info8fvhgl3.urlpush[.]web passing by the area baramije[.]web. The area baramije[.]web was registered in the future earlier than urlpush[.]web, and a decoy web site was arrange utilizing the open supply Textpattern CMS.
Traces of community exercise weren’t the one out there indicators of compromise, and additional inspection of the iPhones revealed executed processes which ultimately led to the institution of a constant sample distinctive to all subsequent iPhones that Amnesty International analysed and located to be contaminated.
2. Pegasus’ BridgeHead and different malicious processes seem
Amnesty International, Citizen Lab, and others have primarily attributed Pegasus spy ware assaults primarily based on the domains and different community infrastructure used to ship the assaults. However, forensic proof left behind by the Pegasus spy ware supplies one other impartial means to attribute these assaults to NSO Group’s expertise.
iOS maintains information of course of executions and their respective community utilization in two SQLite database information known as “DataUtilization.sqlite” and “netusage.sqlite” that are saved on the system. It is value noting that whereas the previous is accessible in iTunes backup, the latter isn’t. Additionally, it ought to be famous that solely processes that carried out community exercise will seem in these databases.
Both Maati Monjib’s and Omar Radi’s community utilization databases contained information of a suspicious course of known as “bh”. This “bh” course of was noticed on a number of events instantly following visits to Pegasus Installation domains.
Maati Monjib’s cellphone has information of execution of “bh” from April 2018 till March 2019:
|
Fist date (UTC) |
Last date (UTC) |
Process Name |
WWAN IN |
WWAN OUT |
Process ID |
|
2018-04-29 00:25:12 |
2019-03-27 22:45:10 |
bh |
3319875.0 |
144443.0 |
59472 |
Amnesty International discovered comparable information on Omar Radi’s cellphone between February and September 2019:
|
Fist date (UTC) |
Last date (UTC) |
Process Name |
WWAN IN |
WWAN OUT |
Process ID |
|
2019-02-11 14:45:56 |
2019-09-13 17:02:11 |
bh |
3019409.0 |
147684.0 |
50465 |
The final recorded execution of “bh” occurred just a few seconds after a profitable community injection (as seen within the favicon information listed earlier at 2019-09-13 17:01:56).
Crucially, we discover references to “bh” within the Pegasus iOS pattern recovered from the 2016 assaults towards UAE human rights defender Ahmed Mansoor, discovered by Citizen Lab and analysed in depth by cybersecurity firm Lookout.
As described in Lookout’s evaluation, in 2016 NSO Group leveraged a vulnerability within the iOS JavaScriptCore Binary (jsc) to obtain code execution on the system. This similar vulnerability was additionally used to keep persistence on the system after reboot. We discover references to “bh” all through the exploit code:
|
var compressed_bh_addr = shellcode_addr_aligned + shellcode32.byteLength; replacePEMagics(shellcode32, dlsym_addr, compressed_bh_addr, bundle.bhCompressedByteLength); storeU32Array(shellcode32, shellcode_addr); storeU32Array(bundle.bhCompressed32, compressed_bh_addr); |
This module is described in Lookout’s evaluation as follows:
“bh.c – Loads API capabilities that relate to the decompression of subsequent stage payloads and their correct placement on the sufferer’s iPhone through the use of capabilities akin to BZ2_bzDecompress, chmod, and malloc”
Lookout additional explains {that a} configuration file positioned at /var/tmp/jb_cfg is dropped alongside the binary. Interestingly, we discover the trail to this file exported as _kBridgeHeadConfigurationFilePath within the libaudio.dylib file a part of the Pegasus bundle:
|
__const:0001AFCC EXPORT _kBridgeHeadConfigurationFilePath __const:0001AFCC _kBridgeHeadConfigurationFilePath DCD cfstr_VarTmpJb_cfg ; “/var/tmp/jb_cfg” |
Therefore, we suspect that “bh” would possibly stand for “BridgeHead”, which is probably going the inner title assigned by NSO Group to this part of their toolkit.
The look of the “bh” course of proper after the profitable community injection of Omar Radi’s cellphone is according to the evident function of the BridgeHead module. It completes the browser exploitation, roots the system and prepares for its an infection with the total Pegasus suite.
2.1 Additional suspicious processes following BridgeHead
The bh course of first appeared on Omar Radi’s cellphone on 11 February 2019. This occurred 10 seconds after an IndexedDB file was created by the Pegasus Installation Server and a favicon entry was recorded by Safari. At across the similar time the file com.apple.CrashReporter.plist file was written in /non-public/var/root/Library/Preferences/, doubtless to disable reporting of crash logs again to Apple. The exploit chain had obtained root permission at this stage.
Less than a minute later a “roleaboutd” course of first seems.
|
Date (UTC) |
Event |
|
|
2019-02-11 14:45:45 |
IndexedDB document for URL https_d9z3sz93x5ueidq3.get1tn0w.free247downloads.com_30897/ |
|
|
2019-02-11 14:45:53 |
Safari Favicon document for URL hxxps//d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP |
|
|
2019-02-11 14:45:54 |
Crash reporter disabled by writing com.apple.CrashReporter.plist |
|
|
2019-02-11 14:45:56 |
Process: bh |
|
|
2019-02-11 14:46:23 |
Process: roleaboutd first |
|
|
2019-02-11 17:05:24 |
Process: roleaboutd final |
Omar Radi’s system was exploited once more on the 13 September 2019. Again a “bh” course of began shortly afterwards. Around this time the com.apple.softwareupdateservicesd.plist file was modified. A “msgacntd” course of was additionally launched.
|
Date (UTC) |
Event |
|
2019-09-13 17:01:38 |
Safari Favicon document for URL hxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse |
|
2019-09-13 17:02:11 |
Process: bh |
|
2019-09-13 17:02:33 |
Process: msgacntd first |
|
2019-09-13 17:02:35 |
File modified: com.apple.softwareupdateservicesd.plist |
|
2019-09-14 20:51:54 |
Process: msgacntd final |
Based on the timing and context of exploitation, Amnesty International believes the roleaboutd and msgacntd processes are a later stage of the Pegasus spy ware which was loaded after a profitable exploitation and privilege escalation with the BridgeHead payload.
Similarly, the forensic evaluation of Maati Monjib’s cellphone revealed the execution of extra suspicious processes as well as to bh. A course of named pcsd and one named fmld appeared in 2018:
|
Fist date |
Last date |
Process Name |
WWAN IN |
WWAN OUT |
Process ID |
|
2018-05-04 23:30:45 |
2018-05-04 23:30:45 |
pcsd |
12305.0 |
10173.0 |
14946 |
|
2018-05-21 23:46:06 |
2018-06-4 13:05:43 |
fmld |
0.0 |
188326.0 |
21207 |
Amnesty International verified that no professional binaries of the identical names have been distributed in latest variations of iOS.
The discovery of those processes on Omar Radi’s and Maati Monjib’s telephones later turned instrumental for Amnesty International’s continued investigations, as we discovered processes with the identical names on gadgets of focused people from world wide.
3. Pegasus processes following potential Apple Photos exploitation
During Amnesty International’s investigations as a part of The Pegasus Project we found extra instances the place the above talked about “bh” course of was recorded on gadgets compromised by totally different assault vectors.
In one occasion, the cellphone of a French human rights lawyer (CODE: FRHRL1) was compromised and the “bh” course of was executed seconds after community site visitors for the iOS Photos app (com.apple.mobileslideshow) was recorded for the primary time. Again, after a profitable exploitation, crash reporting was disabled by writing a com.apple.CrashReporter.plist file to the system.
|
2019-10-29 09:04:32 |
Process: mobileslideshow/com.apple.mobileslideshow first |
|
2019-10-29 09:04:58 |
Process: bh |
|
2019-10-29 09:05:08 |
com.apple.CrashReporter.plist dropped |
|
2019-10-29 09:05:53 |
Process: mptbd |
The subsequent and final time community exercise for the iOS Photos app was recorded was on 18 December 2019, once more previous the execution of malicious processes on the system.
|
2019-12-18 08:13:33 |
Process: mobileslideshow/com.apple.mobileslideshow final |
|
2019-12-18 08:13:47 |
Process: bh |
|
2019-12-18 11:50:15 |
Process: ckeblld |
In a separate case, we recognized an identical sample with the “mobileslideshow” and “bh” processes on the iPhone of a French journalist (CODE: FRJRN1) in May 2020:
|
2020-05-24 15:44:21 |
Process: mobileslideshow/com.apple.mobileslideshow first |
|
2020-05-24 15:44:39 |
Process: bh |
|
2020-05-24 15:46:51 |
Process: fservernetd |
|
|
… |
|
2020-05-27 16:58:31 |
Process: mobileslideshow/com.apple.mobileslideshow final |
|
2020-05-27 16:58:52 |
Process: bh |
|
2020-05-27 18:00:50 |
Process: ckkeyrollfd |
Amnesty International was not in a position to seize payloads associated this exploitation however suspects that the iOS Photos app or the Photostream service have been used as a part of an exploit chain to deploy Pegasus. The apps themselves could have been exploited or their performance misused to ship a extra conventional JavaScript or browser exploit to the system.
As you may see from the tables above, extra course of names akin to mptbd, ckeblld, fservernetd, and ckkeyrollfd seem proper after bh. As with fmld and pcsd, Amnesty International believes these to be extra payloads downloaded and executed after a profitable compromise. As our investigations progressed, we recognized dozens of malicious course of names concerned in Pegasus infections.
Additionally, Amnesty International discovered the identical iCloud account bogaardlisa803[@]gmail.com recorded as linked to the “com.apple.non-public.alloy.photostream” service on each gadgets. Purposefully created iCloud accounts appear to be central to the supply of a number of “zero-click” assault vectors in lots of latest instances of compromised gadgets analysed by Amnesty International.
4. An iMessage zero-click 0day used extensively in 2019
While SMS messages carrying malicious hyperlinks have been the tactic of alternative for NSO Group’s clients between 2016 and 2018, in more moderen years they seem to have turn out to be more and more uncommon. The discovery of community injection assaults in Morocco signalled that the attackers’ techniques have been certainly altering. Network injection is an efficient and cost-efficient assault vector for home use particularly in nations with leverage over cell operators. However, whereas it is just efficient on home networks, the focusing on of international targets or of people in diaspora communities additionally modified.
From 2019 an growing quantity of vulnerabilities in iOS, particularly iMessage and FaceTime, began getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity distributors reporting exploits found in-the-wild.
In response, Amnesty International prolonged its forensic methodology to gather any related traces by iMessage and FaceTime. iOS retains a document of Apple IDs seen by every put in utility in a plist file positioned at /non-public/var/cell/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file can be sometimes out there in a daily iTunes backup, so it may be simply extracted with out the necessity of a jailbreak.
These information performed vital position in later investigations. In many instances we found suspected Pegasus processes executed on gadgets instantly following suspicious iMessage account lookups. For instance, the next information have been extracted from the cellphone of a French journalist (CODE FRJRN2):
|
2019-06-16 12:08:44 |
Lookup of [email protected] by com.apple.madrid (iMessage) |
|
2019-08-16 12:33:52 |
Lookup of bergers.o79@gmailx00x00om by com.apple.madrid (iMessage) |
|
2019-08-16 12:37:55 |
The file Library/Preferences/com.apple.CrashReporter.plist is created inside RootDomain |
|
2019-08-16 12:41:25 |
The file Library/Preferences/roleaccountd.plist is created inside RootDomain |
|
2019-08-16 12:41:36 |
Process: roleaccountd |
|
2019-08-16 12:41:52 |
Process: stagingd |
|
2019-08-16 12:49:21 |
Process: aggregatenotd |
Amnesty International’s forensic evaluation of a number of gadgets discovered comparable information. In many instances the identical iMessage account reoccurs throughout a number of focused gadgets, doubtlessly indicating that these gadgets have been focused by the identical operator. Additionally, the processes roleaccountd and stagingd happen constantly, together with others.
For instance, the iPhone of a Hungarian journalist (CODE HUJRN1) as a substitute confirmed the next information:
|
2019-09-24 13:26:15 |
Lookup of [email protected] by com.apple.madrid (iMessage) |
|
2019-09-24 13:26:51 |
Lookup of [email protected] by com.apple.madrid (iMessage) |
|
2019-09-24 13:32:10 |
Process: roleaccountd |
|
2019-09-24 13:32:13 |
Process: stagingd |
In this case, the primary suspicious processes performing some community exercise have been recorded 5 minutes after the primary lookup. The com.apple.CrashReporter.plist file was already current on this system after a earlier profitable an infection and was not written once more.
The iPhone of yet one more Hungarian journalist (CODE HUJRN2) present lookups for a similar iMessage accounts together with quite a few different processes together with roleaccountd and stagingd:
|
2019-07-15 12:01:37 |
Lookup of mailto:ex00x00[email protected] by com.apple.madrid (iMessage) |
|
2019-07-15 14:21:40 |
Process: accountpfd |
|
2019-08-29 10:57:43 |
Process: roleaccountd |
|
2019-08-29 10:57:44 |
Process: stagingd |
|
2019-08-29 10:58:35 |
Process: launchrexd |
|
2019-09-03 07:54:26 |
Process: roleaccountd |
|
2019-09-03 07:54:28 |
Process: stagingd |
|
2019-09-03 07:54:51 |
Process: seraccountd |
|
2019-09-05 13:26:38 |
Process: seraccountd |
|
2019-09-05 13:26:55 |
Process: misbrigd |
|
2019-09-10 06:09:04 |
Lookup of [email protected] by com.apple.madrid (iMessage) |
|
2019-09-10 06:09:47 |
Lookup of [email protected] by com.apple.madrid (iMessage) |
|
2019-10-30 14:09:51 |
Process: nehelprd |
It is fascinating to be aware that within the traces Amnesty International recovered from 2019, the iMessage lookups that instantly preceded the execution of suspicious processes usually contained two-bytes 0x00 padding within the e-mail tackle recorded by the ID Status Cache file.
5. Apple Music leveraged to ship Pegasus in 2020
In mid-2021 Amnesty International recognized yet one more case of a distinguished investigative journalist from Azerbaijan (CODE AZJRN1) who was repeatedly focused utilizing Pegasus zero-click assaults from 2019 till mid-2021.
Yet once more, we discovered an identical sample of forensic traces on the system following the primary recorded profitable exploitation:
|
2019-03-28 07:43:14 |
File: Library/Preferences/com.apple.CrashReporter.plist from RootDomain |
|
2019-03-28 07:44:03 |
File: Library/Preferences/roleaccountd.plist from RootDomain |
|
2019-03-28 07:44:14 |
Process: roleaccountd |
|
2019-03-28 07:44:14 |
Process: stagingd |
Interestingly we discovered indicators of a brand new iOS an infection method getting used to compromise this system. A profitable an infection occurred on tenth July 2020:
|
2020-07-06 05:22:21 |
Lookup of [email protected] by iMessage (com.apple.madrid) |
|
2020-07-10 14:12:09
|
Pegasus request by Apple Music app: https://x1znqjo0x8b8j.php78mp9v.opposedarrangement[.]web:37271/afAVt89Wq/stadium/pop2.html?key=501_4&n=7 |
|
2020-07-10 14:12:21 |
Process: roleaccountd |
|
2020-07-10 14:12:53 |
Process: stagingd |
|
2020-07-13 05:05:17 |
Pegasus request by Apple Music app: php78mp9v.opposedarrangement[.]web:37891/w58Xp5Z/stadium/pop2.html?key=501_4&n=7 |
Shortly earlier than Pegasus was launched on the system, we noticed community site visitors recorded for the Apple Music service. These HTTP requests have been recovered from a community cache file positioned at /non-public/var/cell/Containers/Data/Application/D6A69566-55F7-4757-96DE-EBA612685272/Library/Caches/com.apple.Music/Cache.db which we retrieved by jailbreaking the system.
Amnesty International can not decide from forensics if Apple Music was itself exploited to ship the preliminary an infection or if as a substitute, the app was abused as a part of a sandbox escape and privilege escalation chain. Recent research has proven that in-built apps such because the iTunes Store app could be abused to run a browser exploit whereas escaping the restrictive Safari utility sandbox.
Most importantly nevertheless, the HTTP request carried out by the Apple Music app factors to the area opposedarrangement[.]web, which we had beforehand recognized as belonging to NSO Group’s Pegasus community infrastructure. This area matched a particular fingerprint we devised whereas conducting Internet-wide scans following our discovery of the community injection assaults in Morocco (see part 9).
In addition, these URLs present peculiar traits typical of different URLs we discovered concerned in Pegasus assaults by the years, as defined within the subsequent part.
6. Megalodon: iMessage zero-click 0-days return in 2021
The evaluation Amnesty International performed of a number of gadgets reveal traces of assaults comparable to these we noticed in 2019. These assaults have been noticed as lately as July 2021. Amnesty International believes Pegasus is at present being delivered by zero-click exploits which stay useful by the most recent out there model of iOS on the time of writing (July 2021).
On the iPhone of a French human rights lawyer (CODE FRHRL2), we noticed a lookup of a suspicious iMessage account unknown to the sufferer, adopted by an HTTP request carried out by the com.apple.coretelephony course of. This is a part of iOS concerned in all telephony-related duties and certain amongst these exploited on this assault. We discovered traces of this HTTP request in a cache file saved on disk at /non-public/var/wi-fi/Library/Caches/com.apple.coretelephony/Cache.db containing metadata on the request and the response. The cellphone despatched info on the system together with the mannequin 9,1 (iPhone 7) and iOS construct quantity 18C66 (model 14.3) to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to utilizing AWS companies in latest months. At the time of this assault, the newer iOS model 14.4 had solely been launched for a few weeks.
|
Date (UTC) |
Event |
|
2021-02-08 10:42:40 |
Lookup of [email protected] by iMessage (com.apple.madrid) |
|
2021-02-08 11:27:10 |
com.apple.coretelephony performs an HTTP request to https://d38j2563clgblt.cloudfront[.]web/fV2GsPXgW//stadium/megalodon?m=iPhone9,1&v=18C66 |
|
2021-02-08 11:27:21 |
Process: gatekeeperd |
|
2021-02-08 11:27:22 |
gatekeeperd performs an HTTP request to https://d38j2563clgblt.cloudfront.web/fV2GsPXgW//stadium/wizard/01-00000000 |
|
2021-02-08 11:27:23 |
Process: gatekeeperd |
The Cache.db file for com.apple.coretelephony incorporates particulars concerning the HTTP response which appeared to have been a obtain of ~250kb of binary information. Indeed, we discovered the downloaded binary within the fsCachedData sub-folder, however it was sadly encrypted. Amnesty International believes this to be the payload launched as gatekeeperd.
Amnesty International subsequently analysed the iPhone of a journalist (CODE MOJRN1), which contained very comparable information. This system was exploited repeatedly on quite a few instances between February and April 2021 and throughout iOS releases. The most up-to-date try confirmed the next indicators of compromise:
|
Date (UTC) |
Event |
|
2021-04-02 10:15:38 |
Lookup of [email protected] by iMessage (com.apple.madrid) |
|
2021-04-02 10:36:00 |
com.apple.coretelephony performs an HTTP request to https://d38j2563clgblt.cloudfront[.]web/dMx1hpK//stadium/megalodon?m=iPhone8,1&v=18D52&u=[REDACTED] |
|
2021-04-02 10:36:08 |
Process PDPDialogs performs an HTTP request to https://d38j2563clgblt.cloudfront[.]web/dMx1hpK//stadium/wizard/ttjuk |
|
2021-04-02 10:36:16 |
Process PDPDialogs performs an HTTP request to https://d38j2563clgblt.cloudfront[.]web/dMx1hpK//stadium/wizard/01-00000000 |
|
2021-04-02 10:36:16 |
com.apple.coretelephony performs an HTTP request to https://d38j2563clgblt.cloudfront[.]web/dMx1hpK//stadium/wizard/cszjcft=frzaslm |
|
2021-04-02 10:36:35 |
Process: gatekeeperd |
|
2021-04-02 10:36:45 |
Process: rolexd |
As is obvious, the identical iMessage account noticed within the earlier separate case was concerned on this exploitation and compromise months later. The similar CloudFront web site was contacted by com.apple.coretelephony and the extra processes executed, downloaded and launched extra malicious parts.
The preliminary check-in signifies the compromised iPhone 6s was working iOS 14.4 (construct quantity 18D52) on the time of the assault. Although variations 14.4.1 and 14.4.2 have been already out there then, they solely addressed vulnerabilities in WebPackage, so it’s secure to assume the vulnerability leveraged in these iMessage assaults was exploited as a 0-day.
It is value noting that among the many many different malicious course of names noticed executed on this cellphone we see msgacntd, which we additionally discovered working on Omar Radi’s cellphone in 2019, as documented earlier.
In addition, it ought to be famous that the URLs we’ve got noticed utilized in assaults all through the final three years present a constant set of patterns. This helps Amnesty International’s evaluation that each one three URLs are the truth is parts of Pegasus buyer assault infrastructure. The Apple Music assault from 2020 reveals the identical 4th stage area construction and non-standard excessive port quantity because the 2019 community injection assault. Both the free247downloads[.]com and opposedarrangements[.]web domains matched our Pegasus V4 area fingerprint.
Additionally, the Apple Music assault URL and the 2021 Megaladon assault URLs share a particular sample. Both URL paths begin with a random identifier tied to the assault try adopted by the phrase “stadium”.
|
Attack |
URL |
|
Network injection (2019) |
https://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse |
|
Apple Music assault (2020) |
https://4n3d9ca2st.php78mp9v.opposedarrangement[.]web:37891/w58Xp5Z/stadium/pop2.html?key=501_4&n=7 |
|
iMessage zero-click (2021) |
https://d38j2563clgblt.cloudfront[.]web/dMx1hpK//stadium/wizard/ttjuk |
Amnesty International reported this info to Amazon, who knowledgeable us they “acted rapidly to shut down the implicated infrastructure and accounts”.[2]
The iPhone 11 of a French human rights activist (CODE FRHRD1) additionally confirmed an iMessage look-up for the account linakeller2203[@]gmail.com on June eleventh 2021 and malicious processes afterwards. The cellphone was working iOS 14.4.2 and was upgraded to 14.6 the next day.
Most lately, Amnesty International has noticed proof of compromise of the iPhone XR of an Indian journalist (CODE INJRN1) working iOS 14.6 (newest out there on the time of writing) as lately as sixteenth June 2021. Lastly, Amnesty International has confirmed an lively an infection of the iPhone X of an activist (CODE RWHRD1) on June twenty fourth 2021, additionally working iOS 14.6. While we’ve got not been in a position to extract information from Cache.db databases due to the lack to jailbreak these two gadgets, extra diagnostic information extracted from these iPhones present quite a few iMessage push notifications instantly previous the execution of Pegasus processes.
The system of a Rwandan activist (CODE RWHRD1) reveals proof of a number of profitable zero-click infections in May and June 2021. We can see one instance of this on 17 May 2021. An unfamiliar iMessage account is recorded and within the following minutes at the least 20 iMessage attachment chunks are created on disk.
|
Date (UTC) |
Event |
|
2021-05-17 13:39:16 |
Lookup for iCloud account benjiburns8[@]gmail.com (iMessage) |
|
2021-05-17 13:40:12 |
File: /non-public/var/cell/Library/SMS/Attachments/dc/12/DEAE6789-0AC4-41A9-A91C-5A9086E406A5/.eBDOuIN1wq.gif-2hN9 |
|
2021-05-17 13:40:21 |
File: /non-public/var/cell/Library/SMS/Attachments/41/01/D146B32E-CA53-41C5-BF61-55E0FA6F5FF3/.TJi3fIbHYN.gif-bMJq |
|
… |
… |
|
2021-05-17 13:44:19 |
File: /non-public/var/cell/Library/SMS/Attachments/42/02/45F922B7-E819-4B88-B79A-0FEE289701EE/.v74ViRNkCG.gif-V678 |
Amnesty International discovered no proof that the 17 May assault was profitable. Later assaults on the 18 June and 23 June have been profitable and led to Pegasus payloads being deployed on the system.
Initially, many iMessage (com.apple.madrid) push notifications have been acquired, and attachment chunks have been written to disk. The following desk present a pattern of the 48 attachment information discovered on the filesystem.
|
Date (UTC) |
Event |
|
2021-06-23 20:45:00 |
8 push notifications for matter com.apple.madrid (iMessage) |
|
2021-06-23 20:46:00 |
46 push notifications for matter com.apple.madrid (iMessage) |
|
2021-06-23 20:46:19 |
File: /non-public/var/tmp/com.apple.messages/F803EEC3-AB3A-4DC2-A5F1-9E39D7A509BB/.cs/ChunkStoreDatabase |
|
2021-06-23 20:46:20 |
File: /non-public/var/cell/Library/SMS/Attachments/77/07/4DFA8939-EE64-4CB5-A111-B75733F603A2/.8HfhwBP5qJ.gif-u0zD |
|
… |
… |
|
2021-06-23 20:53:00 |
17 push notifications for matter com.apple.madrid (iMessage) |
|
2021-06-23 20:53:54 |
File: /non-public/var/tmp/com.apple.messages/50439EF9-750C-4449-B7FC-851F28BD3BD3/.cs/ChunkStoreDatabase |
|
2021-06-23 20:53:54 |
File: /non-public/var/cell/Library/SMS/Attachments/36/06/AA10C840-1776-4A51-A547-BE78A3754773/.7bb9OMWUa8.gif-UAPo |
|
2021-06-23 20:54:00 |
54 push notifications for matter com.apple.madrid (iMessage) |
A course of crash occurred at 20:48:56 which resulted within the ReportCrash course of beginning adopted by restarts of a number of processes associated to iMessage processing:
|
Date (UTC) |
Event |
|
2021-06-23 20:48:56 |
Process with PID 1192 and title ReportCrash |
|
2021-06-23 20:48:56 |
Process with PID 1190 and title IMTransferAgent |
|
2021-06-23 20:48:56 |
Process with PID 1153 and title SCHelper |
|
2021-06-23 20:48:56 |
Process with PID 1151 and title CategoriesService |
|
2021-06-23 20:48:56 |
Process with PID 1147 and title MessagesBlastDoorService |
|
2021-06-23 20:48:56 |
Process with PID 1145 and title NotificationService |
A second set of crashes and restarts occurred 5 minutes later. The ReportCrash course of was began together with processes associated to parsing of iMessage content material and iMessage customized avatars.
|
Date (UTC) |
Event |
|
2021-06-23 20:54:16 |
Process with PID 1280 and title ReportCrash |
|
2021-06-23 20:54:16 |
Process with PID 1278 and title IMTransferAgent |
|
2021-06-23 20:54:16 |
Process with PID 1266 and title com.apple.WebPackage.WebContent material |
|
2021-06-23 20:54:16 |
Process with PID 1263 and title com.apple.accessibility.mediaac |
|
2021-06-23 20:54:16 |
Process with PID 1262 and title CategoriesService |
|
2021-06-23 20:54:16 |
Process with PID 1261 and title com.apple.WebPackage.Networking |
|
2021-06-23 20:54:16 |
Process with PID 1239 and title avatarsd |
Shortly afterwards at 20:54 the exploitation succeeded, and we observe {that a} community request was made by the com.apple.coretelephony course of inflicting the Cache.db file to be modified. This matches the behaviour Amnesty International hasseen within the different Pegasus zero-click assaults in 2021.
|
Date (UTC) |
Event |
|
2021-06-23 20:54:35 |
File: /non-public/var/wi-fi/Library/Caches/com.apple.coretelephony/Cache.db-shm |
|
2021-06-23 20:54:35 |
File: /non-public/var/wi-fi/Library/Caches/com.apple.coretelephony/fsCachedData/3C73213F-73E5-4429-AAD9-0D7AD9AE83D1 |
|
2021-06-23 20:54:47 |
File: /non-public/var/root/Library/Caches/appccntd/Cache.db |
|
2021-06-23 20:54:53 |
File: /non-public/var/tmp/XtYaXXY |
|
2021-06-23 20:55:08 |
File: /non-public/var/tmp/CFNetworkDownload_JQeZFF.tmp |
|
2021-06-23 20:55:09 |
File: /non-public/var/tmp/PWg6ueAldsvV8vZ8CYpkp53D |
|
2021-06-23 20:55:10 |
File: /non-public/var/db/com.apple.xpc.roleaccountd.staging/otpgrefd |
|
2021-06-23 20:55:10 |
File: /non-public/var/tmp/vditcfwheovjf/kk |
|
2021-06-23 20:59:35 |
Process: appccntd |
|
2021-06-23 20:59:35 |
Process: otpgrefd |
Lastly, the evaluation of a totally patched iPhone 12 working iOS 14.6 of an Indian journalist (CODE INJRN2) additionally revealed indicators of profitable compromise. These most up-to-date discoveries point out NSO Group’s clients are at present in a position to remotely compromise all latest iPhone fashions and variations of iOS.
We have reported this info to Apple, who knowledgeable us they’re investigating the matter.[3]
7. Incomplete makes an attempt to cover proof of compromise
Several iPhones Amnesty International has inspected point out that Pegasus has lately began to manipulate system databases and information on contaminated gadgets to cover its traces and and impede the analysis efforts of Amnesty International and different investigators.
Interestingly, this manipulation turns into evident when verifying the consistency of leftover information within the DataUtilization.sqlite and netusage.sqlite SQLite databases. Pegasus has deleted the names of malicious processes from the ZPROCESS desk in DataUtilization database however not the corresponding entries from the ZLIVEUSAGE desk. The ZPROCESS desk shops rows containing a course of ID and the method title. The ZLIVEUSAGE desk incorporates a row for every working course of together with information switch quantity and the method ID corresponding to the ZPROCESS entry. These inconsistencies could be helpful in figuring out instances when infections could have occurred. Additional Pegasus indicators of compromise have been noticed on all gadgets the place this anomaly was noticed. No comparable inconsistencies have been discovered on any clear iPhones analysed by Amnesty International.
Although most up-to-date information are actually being deleted from these databases, traces of latest course of executions can be recovered additionally from extra diagnostic logs from the system.
For instance, the next information have been recovered from the cellphone of an HRD (CODE RWHRD1):
|
Date (UTC) |
Event |
|
2021-01-31 23:59:02 |
Process: libtouchregd (PID 7354) |
|
2021-02-21 23:10:09 |
Process: mptbd (PID 5663) |
|
2021-02-21 23:10:09 |
Process: launchrexd (PID 4634) |
|
2021-03-21 06:06:45 |
Process: roleaboutd (PID 12645) |
|
2021-03-28 00:36:43 |
Process: otpgrefd (PID 2786) |
|
2021-04-06 21:29:56 |
Process: locserviced (PID 5492) |
|
2021-04-23 01:48:56 |
Process: eventfssd (PID 4276) |
|
2021-04-23 23:01:44 |
Process: aggregatenotd (PID 1900) |
|
2021-04-28 16:08:40 |
Process: xpccfd (PID 1218) |
|
2021-06-14 00:17:12 |
Process: faskeepd (PID 4427) |
|
2021-06-14 00:17:12 |
Process: lobbrogd (PID 4426) |
|
2021-06-14 00:17:12 |
Process: neagentd (PID 4423) |
|
2021-06-14 00:17:12 |
Process: com.apple.rapports.occasions (PID 4421) |
|
2021-06-18 08:13:35 |
Process: faskeepd (PID 4427) |
|
2021-06-18 15:31:12 |
Process: launchrexd (PID 1169) |
|
2021-06-18 15:31:12 |
Process: frtipd (PID 1168) |
|
2021-06-18 15:31:12 |
Process: ReminderIntentsUIExtension (PID 1165) |
|
2021-06-23 14:31:39 |
Process: launchrexd (PID 1169) |
|
2021-06-23 20:59:35 |
Process: otpgrefd (PID 1301) |
|
2021-06-23 20:59:35 |
Process: launchafd (PID 1300) |
|
2021-06-23 20:59:35 |
Process: vm_stats (PID 1294) |
|
2021-06-24 12:24:29 |
Process: otpgrefd (PID 1301) |
System log information additionally reveal the placement of Pegasus binaries on disk. These file names match these we’ve got constantly noticed within the course of execution logs offered earlier. The binaries are positioned contained in the folder /non-public/var/db/com.apple.xpc.roleaccountd.staging/ which is consistent with the findings by Citizen Lab in a December 2020 report.
|
/non-public/var/db/com.apple.xpc.roleaccountd.staging/launchrexd/EACA3532-7D15-32EE-A88A-96989F9F558A |
Amnesty International’s investigations, corroborated by secondary info we’ve got acquired, appear to recommend that Pegasus is now not sustaining persistence on iOS gadgets. Therefore, binary payloads related to these processes will not be recoverable from the non-volatile filesystem. Instead, one would wish to give you the option to jailbreak the system with out reboot, and try to extract payloads from reminiscence.
8. Pegasus processes disguised as iOS system companies
Across the quite a few forensic analyses performed by Amnesty International on gadgets world wide, we discovered a constant set of malicious course of names executed on compromised telephones. While some processes, for instance bh, appear to be distinctive to a specific assault vector, most Pegasus course of names appear to be merely disguised to seem as professional iOS system processes, maybe to idiot forensic investigators inspecting logs.
Several of those course of names spoof professional iOS binaries:
|
Pegasus Process Name |
Spoofed iOS Binary |
|
ABSCarryLog |
ASPCarryLog |
|
aggregatenotd |
aggregated |
|
ckkeyrollfd |
ckkeyrolld |
|
com.apple.Mappit.SnapshotService |
com.apple.MapKit.SnapshotService |
|
com.apple.rapports.occasions |
com.apple.rapport.occasions |
|
CommsCenterRootHelper |
CommCenterRootHelper |
|
Diagnostic-2543 |
Diagnostic-2532 |
|
eventsfssd |
fseventsd |
|
fmld |
fmfd |
|
JarvisPluginMgr |
JarvisPlugin |
|
launchafd |
launchd |
|
MobileSMSd |
MobileSMS |
|
nehelprd |
nehelper |
|
pcsd |
com.apple.pcs |
|
PDPDialogs |
PPPDialogs |
|
ReminderIntentsUIExtension |
RemindersIntentsUIExtension |
|
rlaccountd |
xpcroleaccountd |
|
roleaccountd |
xpcroleaccountd |
The listing of course of names we affiliate with Pegasus infections is accessible amongst all different indicators of compromise on our GitHub web page.
9. Unravelling the Pegasus assault infrastructure through the years
The set of domains, servers and infrastructure used to ship and gather information from NSO Group’s Pegasus spy ware has advanced a number of instances since first publicly disclosed by Citizen Lab in 2016.
In August 2018, Amnesty International revealed a report “Amnesty International Among Targets of NSO-powered Campaign“ which described the focusing on of an Amnesty International employees member and a Saudi human rights defender. In this report, Amnesty International offered an excerpt of greater than 600 domains tied to NSO Group’s assault infrastructure. Amnesty International revealed the full list of domains in October 2018. In this report, we refer to these domains as Pegasus community Version 3 (V3).
The Version 3 infrastructure used a community of VPS’s and devoted servers. Each Pegasus Installation server or Command-and-Control (C&C) server hosted an internet server on port 443 with a singular area and TLS certificates. These edge servers would then proxy connections by a sequence of servers, referred to by NSO Group because the “Pegasus Anonymizing Transmission Network” (PATN).
It was doable to create a pair of fingerprints for the distinctive set of TLS cipher suites supported by these servers. The fingerprint method is conceptually comparable to the JA3S fingerprint technique published by Salesforce in 2019. With that fingerprint, Amnesty International’s Security Lab carried out Internet-wide scans to establish Pegasus Installation/an infection and C&C servers lively in the summertime of 2018.
NSO Group made vital operational safety errors when establishing their Version 3 infrastructure. Two domains of the earlier Version 2 community have been reused of their Version 3 community. These two Version 2 domains, pine-sales[.]com and ecommerce-ads[.]org had beforehand been recognized by Citizen Lab. These errors allowed Amnesty International to hyperlink the tried assault on our colleague to NSO Group’s Pegasus product. These hyperlinks have been independently confirmed by Citizen Lab in a 2018 report.
NSO Group quickly shutdown a lot of their Version 3 servers shortly after the Amnesty International and Citizen Lab’s publications on 1 August 2018.
9.1 Further makes an attempt by NSO Group to cover their infrastructure
In August 2019, the Amnesty International recognized one other case of NSO Group’s instruments getting used to goal a human rights defender, this time in Morocco. Maati Monjib was targeted with SMS messages containing Version 3 Pegasus links.
Amnesty carried out a forensic evaluation of his iPhone as described beforehand. This forensic evaluation confirmed redirects to a brand new area title free247downloads.com. These hyperlinks seemed suspiciously comparable to an infection hyperlinks beforehand utilized by NSO.
Amnesty International confirmed this area was tied to NSO Group by observing distinctive Pegasus artefacts created on the system shortly after the an infection URL was opened. With this new area in hand, we have been in a position to start mapping the Pegasus Version 4 (V4) infrastructure.
NSO Group re-factored their infrastructure to introduce extra layers, which sophisticated discovery. Nevertheless, we might now observe at the least 4 servers utilized in every an infection chain.
|
Validation area: https://baramije[.]web/[ALPHANUMERIC STRING] Exploit area: https://[REDACTED].info8fvhgl3.urlpush[.]web:30827/[SAME ALPHANUMERIC STRING] |
- A validation server: The first step was an internet site which we’ve got seen hosted on shared internet hosting suppliers. Frequently this web site was working a random and typically obscure PHP utility or CMS. Amnesty International believes this was an effort to make the domains look much less distinguishable.The validation server would verify the incoming request. If a request had a sound and nonetheless lively URL the validation server would redirect the sufferer to the newly generated exploit server area. If the URL or system was not legitimate it might redirect to a professional decoy web site. Any passer-by or Internet crawler would solely see the decoy PHP CMS.
- Infection DNS server: NSO now seems to be utilizing a singular subdomain for each exploit try. Each subdomain was generated and solely lively for a brief time period. This prevented researchers from discovering the placement of the exploit server primarily based on historic system logs.To dynamically resolve these subdomains NSO Group ran a customized DNS server beneath a subdomain for each an infection area. It additionally obtained a wildcard TLS certificates which might be legitimate for every generated subdomain akin to *.info8fvhgl3.urlpush[.]web or *.get1tn0w.free247downloads[.]com.
- Pegasus Installation Server: To serve the precise an infection payload NSO Group wants to run an internet server someplace on the Internet. Again, NSO Group took steps to keep away from web scanning by working the online server on a random excessive port quantity.We assume that every an infection webserver is a part of the brand new technology “Pegasus Anonymizing Transmission Network”. Connections to the an infection server are doubtless proxied again to the shopper’s Pegasus infrastructure.
- Command and Control server: In earlier generations of the PATN, NSO Group used separate domains for the preliminary an infection and later communication with the spy ware. The iPwn report from Citizen Lab supplied proof that Pegasus is once more utilizing separate domains for command and management. To keep away from network-based discovery, the Pegasus spy ware made direct connections the Pegasus C&C servers with out first performing a DNS lookup or sending the area title within the TLS SNI discipline.
9.2 Identifying different NSO assault domains
Amnesty International started by analysing the configuration of the an infection domains and DNS servers used within the assaults towards Moroccan journalists and human rights defenders.
Based on our data of the domains utilized in Morocco we developed a fingerprint which recognized 201 Pegasus Installation domains which had infrastructure lively on the time of the preliminary scan. This set of 201 domains included each urlpush[.]web and free247downloads[.]com.
Amnesty International recognized an extra 500 domains with subsequent community scanning and by clustering patterns of area registration, TLS certificates issuance and area composition which matched the preliminary set of 201 domains.
Amnesty International believes that this represents a good portion of the Version 4 NSO Group assault infrastructure. We are publishing these 700 domains right this moment. We suggest the civil society and media organisations verify their community telemetry and/or DNS logs for traces of those indicators of compromise.
9.3 What could be realized from NSO Group’s infrastructure
The following chart reveals the evolution of NSO Group Pegasus infrastructure over a 4-year interval from 2016 till mid-2021. Much of the Version 3 infrastructure was abruptly shut down in August 2018 following our report on an Amnesty International employees member focused with Pegasus. The Version 4 infrastructure was then regularly rolled out starting in September and October 2018.
A major variety of new domains have been registered in November 2019 shortly after WhatsApp notified their customers about alleged focusing on with Pegasus. This could replicate NSO rotating domains due to perceived danger of discovery, or due to disruption to their present internet hosting infrastructure.
The V4 DNS server infrastructure started going offline in early 2021 following the Citizen Lab iPwn report which disclosed a number of Pegasus V4 domains.
Amnesty International suspects the shutting down of the V4 infrastructure coincided with NSO Group’s shift to utilizing cloud companies akin to Amazon CloudFront to ship the sooner phases of their assaults. The use of cloud companies protects NSO Group from some Internet scanning strategies.
9.4 Attack infrastructure hosted primarily in Europe and North America
NSO Group’s Pegasus infrastructure primarily consists of servers hosted at datacentres positioned in European nations. The nations internet hosting probably the most an infection area DNS servers included Germany, the United Kingdom, Switzerland, France, and the United States (US).
|
Country |
Servers per nation |
|
Germany |
212 |
|
United Kingdom |
79 |
|
Switzerland |
36 |
|
France |
35 |
|
United States |
28 |
|
Finland |
9 |
|
Netherlands |
5 |
|
Canada |
4 |
|
Ukraine |
4 |
|
Singapore |
3 |
|
India |
3 |
|
Austria |
3 |
|
Japan |
1 |
|
Bulgaria |
1 |
|
Lithuania |
1 |
|
Bahrain |
1 |
The following desk reveals the variety of DNS servers hosted with every internet hosting supplier. Most recognized servers are assigned to the US-owned internet hosting corporations Digital Ocean, Linode and Amazon Web Services (AWS).
Many internet hosting suppliers provide server internet hosting in a number of bodily places. Based on these two tables it seems that NSO Group is primarily utilizing the European datacentres run by American internet hosting corporations to run a lot of the assault infrastructure for its clients.
|
Network |
Servers per community |
|
DIGITALOCEAN-ASN |
142 |
|
Linode, LLC |
114 |
|
AMAZON-02 |
73 |
|
Akenes SA |
60 |
|
UpCloud Ltd |
9 |
|
Choopa |
7 |
|
OVH SAS |
6 |
|
Virtual Systems LLC |
2 |
|
ASN-QUADRANET-GLOBAL |
1 |
|
combahton GmbH |
1 |
|
UAB Rakrejus |
1 |
|
HZ Hosting Ltd |
1 |
|
PE Brezhnev Daniil |
1 |
|
Neterra Ltd. |
1 |
|
Kyiv Optic Networks Ltd |
1 |
Amnesty International’s analysis recognized 28 DNS servers linked to the an infection infrastructure which have been hosted within the US.
|
Domain title |
DNS server IP |
Network |
|
drp32k77.todoinfonet.com |
104.223.76.216 |
ASN-QUADRANET-GLOBAL |
|
imgi64kf5so6k.transferlights.com |
165.227.52.184 |
DIGITALOCEAN-ASN |
|
pc43v65k.alignmentdisabled.web |
167.172.215.114 |
DIGITALOCEAN-ASN |
|
img54fsd3267h.prioritytrail.web |
157.245.228.71 |
DIGITALOCEAN-ASN |
|
jsfk3d43.netvisualizer.com |
104.248.126.210 |
DIGITALOCEAN-ASN |
|
cdn42js666.manydnsnow.com |
138.197.223.170 |
DIGITALOCEAN-ASN |
|
css1833iv.handcraftedformat.com |
134.209.172.164 |
DIGITALOCEAN-ASN |
|
js43fsf7v.opera-van.com |
159.203.87.42 |
DIGITALOCEAN-ASN |
|
pypip36z19.myfundsdns.com |
167.99.105.68 |
DIGITALOCEAN-ASN |
|
css912jy6.reception-desk.web |
68.183.105.242 |
DIGITALOCEAN-ASN |
|
imgi64kf5so6k.transferlights.com |
206.189.214.74 |
DIGITALOCEAN-ASN |
|
js85mail.preferenceviews.com |
142.93.80.134 |
DIGITALOCEAN-ASN |
|
css3218i.quota-reader.web |
165.227.17.53 |
DIGITALOCEAN-ASN |
|
mongo87a.sweet-water.org |
142.93.113.166 |
DIGITALOCEAN-ASN |
|
react12x2.towebsite.web |
3.13.132.96 |
AMAZON-02 |
|
jsb8dmc5z4.gettingurl.com |
13.59.79.240 |
AMAZON-02 |
|
react12x2.towebsite.web |
3.16.75.157 |
AMAZON-02 |
|
cssgahs5j.redirigir.web |
18.217.13.50 |
AMAZON-02 |
|
jsm3zsn5kewlmk9q.dns-analytics.com |
18.225.12.72 |
AMAZON-02 |
|
imgcss35d.domain-routing.com |
13.58.85.100 |
AMAZON-02 |
|
jsb8dmc5z4.gettingurl.com |
18.191.63.125 |
AMAZON-02 |
|
js9dj1xzc8d.beanbounce.web |
199.247.15.15 |
CHOOPA |
|
jsid76api.buildyourdata.com |
108.61.158.97 |
CHOOPA |
|
cdn19be2.reloadinput.com |
95.179.177.18 |
CHOOPA |
|
srva9awf.syncingprocess.com |
66.175.211.107 |
Linode |
|
jsfk3d43.netvisualizer.com |
172.105.148.64 |
Linode |
|
imgdsg4f35.permalinking.com |
23.239.16.143 |
Linode |
|
srva9awf.syncingprocess.com |
45.79.190.38 |
Linode |
9.5 Infection area resolutions noticed in Passive DNS database
Based on forensic evaluation of compromised gadgets, Amnesty International decided that NSO Group was utilizing a singular and randomly generated subdomain for every try to ship the Pegasus spy ware.
Amnesty International searched passive DNS datasets for every of the Pegasus Version 4 domains we’ve got recognized. Passive DNS databases document historic DNS decision for a site and sometimes included subdomains and the corresponding historic IP tackle.
A subdomain will solely be recorded in passive DNS information if the subdomain was efficiently resolved and the decision transited a community which was working a passive DNS probe.
This probe information is collected primarily based on agreements between community operators and passive DNS information suppliers. Many networks won’t be coated by such information assortment agreements. For instance, no passive DNS resolutions have been recorded for both Pegasus an infection domains utilized in Morocco.
As such, these resolutions signify solely a small subset of general NSO Group Pegasus exercise.
|
Infection area |
Unique an infection subdomains |
|
mongo77usr.urlredirect.web |
417 |
|
str1089.mailappzone.com |
410 |
|
apiweb248.theappanalytics.com |
391 |
|
dist564.htmlstats.web |
245 |
|
css235gr.apigraphs.web |
147 |
|
nodesj44s.unusualneighbor.com |
38 |
|
jsonapi2.linksnew.information |
30 |
|
img9fo658tlsuh.securisurf.com |
19 |
|
pc25f01dw.loading-url.web |
12 |
|
dbm4kl5d3faqlk6.healthyguess.com |
8 |
|
img359axw1z.reload-url.web |
5 |
|
css2307.cssgraphics.web |
5 |
|
info2638dg43.newip-info.com |
3 |
|
img87xp8m.catbrushcable.com |
2 |
|
img108jkn42.av-scanner.com |
2 |
|
mongom5sxk8fr6.extractsight.com |
2 |
|
img776cg3.webprotector.co |
1 |
|
tv54d2ml1.topadblocker.web |
1 |
|
drp2j4sdi.safecrusade.com |
1 |
|
api1r3f4.redirectweburl.com |
1 |
|
pc41g20bm.redirectconnection.web |
1 |
|
jsj8sd9nf.randomlane.web |
1 |
|
php78mp9v.opposedarrangement.web |
1 |
The area urlredirect.web had the best variety of noticed distinctive subdomains. In complete 417 resolutions have been recorded between 4 October 2018, and 17 September 2019. The second highest was mailappzone.com which has 410 resolutions in a 3-month interval between 23 July 2020, and 15 October 2020.
Amnesty International believes that every of those subdomain resolutions, 1748 in complete, signify an try to compromise a tool with Pegasus. These 23 domains signify lower than 7% of the 379 Pegasus Installation Server domains we’ve got recognized. Based on this small subset, Pegasus could have been utilized in 1000’s of assaults over the previous three years.
10. Mobile gadgets, safety and auditability
Much of the focusing on outlined on this report entails Pegasus assaults focusing on iOS gadgets. It is necessary to be aware that this doesn’t essentially replicate the relative safety of iOS gadgets in contrast to Android gadgets, or different working programs and cellphone producers.
In Amnesty International’s expertise there are considerably extra forensic traces accessible to investigators on Apple iOS gadgets than on inventory Android gadgets, subsequently our methodology is targeted on the previous. As a end result, most up-to-date instances of confirmed Pegasus infections have concerned iPhones.
This and all earlier investigations exhibit how assaults towards cell gadgets are a big menace to civil society globally. The issue to not solely stop, however posthumously detect assaults is the results of an unsustainable asymmetry between the capabilities available to attackers and the insufficient protections that people in danger get pleasure from.
While iOS gadgets present at the least some helpful diagnostics, historic information are scarce and simply tampered with. Other gadgets present little to no assist conducting consensual forensics evaluation. Although a lot could be performed to enhance the safety posture of cell gadgets and mitigate the dangers of assaults akin to these documented on this report, much more might be achieved by bettering the flexibility for system house owners and technical specialists to carry out common checks of the system’s integrity.
Therefore, Amnesty International strongly encourages system distributors to discover choices to make their gadgets extra auditable, with out after all sacrificing any safety and privateness protections already in place. Platform builders and cellphone producers ought to repeatedly have interaction in conversations with civil society to higher perceive the challenges confronted by HRDs, who are sometimes under-represented in cybersecurity debates.
11. With our Methodology, we launch our instruments and indicators
For a very long time, triaging the state of a suspected compromised cell system has been thought of a near-impossible process, significantly inside the human rights communities we work in. Through the work of Amnesty International’s Security Lab we’ve got constructed necessary capabilities that will profit our friends and colleagues supporting activists, journalists, and legal professionals who’re in danger.
Therefore, by this report, we’re not solely sharing the methodology we’ve got constructed over years of analysis but in addition the instruments we created to facilitate this work, in addition to the Pegasus indicators of compromise we’ve got collected.
All indicators of compromise can be found on our GitHub , together with domains of Pegasus infrastructure, e-mail addresses recovered from iMessage account lookups concerned within the assaults, and all course of names Amnesty International has recognized as related to Pegasus.
Amnesty International can be releasing a instrument we’ve got created, known as Mobile Verification Toolkit (MVT). MVT is a modular instrument that simplifies the method of buying and analysing information from Android gadgets, and the evaluation of information from iOS backups and filesystem dumps, particularly to establish potential traces of compromise.
MVT could be supplied with indicators of compromise in STIX2 format and can establish any matching indicators discovered on the system. In conjunction with Pegasus indicators, MVT can assist establish if an iPhone have been compromised.
Among others, a number of the options MVT has embody:
- Decrypt encrypted iOS backups.
- Process and parse information from quite a few iOS system and apps databases and system logs.
- Extract put in purposes from Android gadgets.
- Extract diagnostic info from Android gadgets by the adb protocol.
- Compare extracted information to a supplied listing of malicious indicators in STIX2 format. Automatically establish malicious SMS messages, visited web sites, malicious processes, and extra.
- Generate JSON logs of extracted information, and separate JSON logs of all detected malicious traces.
- Generate a unified chronological timeline of extracted information, together with a timeline all detected malicious traces.
Acknowledgements
The Amnesty International Security Lab needs to acknowledge all those that have supported this analysis. Tools launched by the iOS safety analysis group together with libimobiledevice and checkra1n have been used extensively as a part of this analysis. We would additionally like to thank Censys and RiskIQ for offering entry to their web scan and passive DNS information.
Amnesty International needs to acknowledge Citizen Lab for its necessary and intensive analysis on NSO Group and different actors contributing to the illegal surveillance of civil society. Amnesty International thanks Citizen Lab for its peer-review of this research report.
Finally Amnesty International needs to thank the quite a few journalists and human rights defenders who bravely collaborated to make this analysis doable.
Appendix A: Peer evaluation of Methodology Report by Citizen Lab
The Citizen Lab on the University of Toronto has independently peer-reviewed a draft of the forensic methodology outlined on this report. Their evaluation could be discovered here.
Appendix B: Suspicious iCloud Account Lookups
This Appendix reveals the overlap of iCloud accounts discovered looked-up on the cell gadgets of various targets. This listing shall be progressively up to date.
|
iCloud Account |
Target |
|
emmaholm575[@]gmail.com |
• AZJRN1 – Khadija Ismayilova |
|
filip.bl82[@]gmail.com |
• AZJRN1 – Khadija Ismayilova |
|
kleinleon1987[@]gmail.com |
• AZJRN1 – Khadija Ismayilova |
|
bergers.o79[@]gmail.com |
• Omar Radi • FRHRL1 – Joseph Breham • FRHRL2 • FRJRN1 – Lenaig Bredoux • FRJRN2 • FRPOI1 • FRPOI2 – François de Rugy |
|
naomiwerff772[@]gmail.com |
• Omar Radi • FRHRL1 – Joseph Breham • FRPOI1 |
|
bogaardlisa803[@]gmail.com |
• FRHRL1 – Joseph Breham • FRJRN1 – Lenaig Bredoux • FRJRN2 |
|
linakeller2203[@]gmail.com |
• FRHRD1 – Claude Mangin • FRPOI3 – Philippe Bouyssou • FRPOI4 • FRPOI5 – Oubi Buchraya Bachir • MOJRN1 – Hicham Mansouri |
|
jessicadavies1345[@]outlook.com |
• HUJRN1 – András Szabó • HUJRN2 – Szabolcs Panyi |
|
emmadavies8266[@]gmail.com |
• HUJRN1 – András Szabó • HUJRN2 – Szabolcs Panyi |
|
okay.williams.enny74[@]gmail.com |
• HUPOI1 • HUPOI2 – Adrien Beauduin • HUPOI3 |
|
taylorjade0303[@]gmail.com |
• INHRD1 – SAR Geelani • INJRN6 – Smita Sharma • INPOI1 – Prashant Kishor |
|
lee.85.holland[@]gmail.com |
• INHRD1 – SAR Geelani • INJRN6 – Smita Sharma • INPOI1 – Prashant Kishor |
|
bekkerfredi[@]gmail.com |
• INHRD1 – SAR Geelani • INPOI2 |
|
herbruud2[@]gmail.com |
• INJRN1 – Mangalam Kesavan Venu • INJRN2 – Sushant Singh • INPOI1 – Prashant Kishor |
|
vincent.dahl76[@]gmail.com |
• KASH01 – Hatice Cengiz • KASH02 – Rodney Dixon |
|
oskarschalcher[@]outlook.com |
• KASH03 – Wadah Khanfar |
|
benjiburns8[@]gmail.com |
• RWHRD1 – Carine Kanimba |
Appendix C: Detailed Traces per Target
This Appendix incorporates detailed breakdowns of forensic traces recovered for every goal. This Appendix shall be progressively up to date.
C.1 Forensic Traces Overview for Maati Monjib
|
Date (UTC) |
Event |
|
2017-11-02 12:29:33 |
Pegasus SMS with hyperlink to hxxps://tinyurl[.]com/y73qr7mb redirecting to hxxps://revolution-news[.]co/ikXFZ34ca |
|
2017-11-02 16:42:34 |
Pegasus SMS with hyperlink to hxxps://stopsms[.]biz/vi78ELI |
|
2017-11-02 16:44:00 |
Pegasus SMS with hyperlink to hxxps://stopsms[.]biz/vi78ELI from +212766090491 |
|
2017-11-02 16:45:10 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-02 16:57:00 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-02 17:13:45 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-02 17:21:57 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-02 17:30:49 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-02 17:40:46 |
Pegasus SMS with hyperlink to Hxxps://stopsms[.]biz/bi78ELI from +212766090491 |
|
2017-11-15 17:05:17 |
Pegasus SMS with hyperlink to hxxps://videosdownload[.]co/nBBJBIP |
|
2017-11-20 18:22:03 |
Pegasus SMS with hyperlink to hxxps://infospress[.]com/LqoHgMCEE |
|
2017-11-24 13:43:17 |
Pegasus SMS with hyperlink to hxxps://tinyurl[.]com/y9hbdqm5 redirecting to hxxps://hmizat[.]co/JaCTkfEp |
|
2017-11-24 17:26:09 |
Pegasus SMS with hyperlink to hxxps://stopsms[.]biz/2Kj2ik6 |
|
2017-11-27 15:56:10 |
Pegasus SMS with hyperlink to hxxps://stopsms[.]biz/yTnWt1Ct |
|
2017-11-27 17:32:37 |
Pegasus SMS with hyperlink to hxxps://hmizat[.]co/ronEKDVaf |
|
2017-12-07 18:21:57 |
Pegasus SMS with hyperlink to hxxp://tinyurl[.]com/y7wdcd8z redirecting to hxxps://infospress[.]com/Ln3HYK4C |
|
2018-01-08 12:58:14 |
Pegasus SMS with hyperlink to hxxp://tinyurl[.]com/y87hnl3o redirecting to hxxps://infospress[.]com/asjmXqiS |
|
2018-02-09 21:12:49 |
Process: pcsd |
|
2018-03-16 08:24:20 |
Process: pcsd |
|
2018-04-28 22:25:12 |
Process: bh |
|
2018-05-04 21:30:45 |
Process: pcsd |
|
2018-05-21 21:46:06 |
Process: fmld |
|
2018-05-22 17:36:51 |
Process: bh |
|
2018-06-04 11:05:43 |
Process: fmld |
|
2019-03-27 21:45:10 |
Process: bh |
|
2019-04-14 23:02:41 |
Safari favicon from URL hxxps://c7r8x8f6zecd8j.get1tn0w.free247downloads[.]com:30352/Ld3xuuW5 |
|
2019-06-27 20:13:10 |
Safari favicon from URL hxxps://3hdxu4446c49s.get1tn0w.free247downloads[.]com:30497/pczrccr#052045871202826837337308184750023238630846883009852 |
|
2019-07-22 15:42:32 |
Safari go to to hxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz |
|
2019-07 22 15:42:32 |
Safari go to to hxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz#048634787343287485982474853012724998054718494423286 |
|
2019-07-22 15:43:06 |
Safari favicon from URL hxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz#048634787343287485982474853012724998054718494423286 |
|
n/a |
WebPackage IndexedDB file for URL hxxps://c7r8x8f6zecd8j.get1tn0w.free247downloads[.]com |
|
n/a |
WebPackage IndexedDB file for URL hxxps://bun54l2b67.get1tn0w.free247downloads[.]com |
|
n/a |
WebPackage IndexedDB file for URL hxxps://keewrq9z.get1tn0w.free247downloads[.]com |
|
n/a |
WebPackage IndexedDB file for URL hxxps://3hdxu4446c49s.get1tn0w.free247downloads[.]com |
C.2 Forensic Traces Overview for Omar Radi
|
Date (UTC) |
Event |
|
2019-02-11 14:45:45 |
Webkit IndexedDB file for URL hxxps://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com |
|
2019-02-11 13:45:53 |
Safari favicon from URL hxxps://d9z3sz93x5ueidq3.get1tn0w.free247downloads[.]com:30897/rdEN5YP |
|
2019-02-11 13:45:56 |
Process: bh |
|
2019-02-11 13:46:16 |
Process: roleaboutd |
|
2019-02-11 13:46:23 |
Process: roleaboutd |
|
2019-02-11 16:05:24 |
Process: roleaboutd |
|
2019-08-16 17:41:06 |
iMessage lookup for account bergers.o79[@]gmail.com |
|
2019-09-13 15:01:38 |
Safari favicon for URL hxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#011356570257117296834845704022338973133022433397236 |
|
2019-09-13 15:01:56 |
Safari favicon for URL hxxps://2far1v4lv8.get1tn0w.free247downloads[.]com:31052/meunsnyse#068099561614626278519925358638789161572427833645389 |
|
2019-09-13 15:02:11 |
Process: bh |
|
2019-09-13 15:02:20 |
Process: msgacntd |
|
2019-09-13 15:02:33 |
Process: msgacntd |
|
2019-09-14 15:02:57 |
Process: msgacntd |
|
2019-09-14 18:51:54 |
Process: msgacntd |
|
2019-10-29 12:21:18 |
iMessage lookup for account naomiwerff772[@]gmail.com |
|
2020-01-27 10:06:24 |
Safari favicon for URL hxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946 |
|
2020-01-27 10:06:26 |
Safari go to to hxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946#2 |
|
2020-01-27 10:06:26 |
Safari go to to hxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946#24 |
|
2020-01-27 10:06:32 |
Safari favicon for URL hxxps://gnyjv1xltx.info8fvhgl3.urlpush[.]web:30875/zrnv5revj#074196419827987919274001548622738919835556748325946percent2324 |
Appendix D could be discovered here.
[1] The technical proof supplied within the report contains the forensic analysis carried out as a part of the Pegasus Project in addition to extra Amnesty International Security Lab analysis carried out because the institution of the Security Lab in 2018.
[2] Email to Amnesty International, May 2021
[3] Email to Amnesty International, July 2021.
