S0289 Pegasus for iOS
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.21 The Android version is tracked separately under Pegasus for Android.
| Item | Value |
|---|---|
| ID | S0289 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 25 October 2017 |
| Last Modified | 06 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | Pegasus for iOS has the ability to record audio.2 |
| mobile | T1645 | Compromise Client Software Binary | Pegasus for iOS modifies the system partition to maintain persistence.2 |
| mobile | T1456 | Drive-By Compromise | Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.2 |
| mobile | T1658 | Exploitation for Client Execution | Pegasus for iOS can compromise iPhones running iOS 16.6 without any user interaction.4 |
| mobile | T1664 | Exploitation for Initial Access | Pegasus for iOS has used zero-day iMessage exploits for initial access.3 |
| mobile | T1404 | Exploitation for Privilege Escalation | Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.2 |
| mobile | T1430 | Location Tracking | Pegasus for iOS update and sends the location of the phone.2 |
| mobile | T1644 | Out of Band Data | Pegasus for iOS uses SMS for command and control.2 |
| mobile | T1660 | Phishing | Pegasus for iOS has been distributed via malicious links in SMS messages.3 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | Pegasus for iOS captures call logs.2 |
| mobile | T1636.003 | Contact List | Pegasus for iOS gathers contacts from the system by dumping the victim’s address book.2 |
| mobile | T1636.004 | SMS Messages | Pegasus for iOS captures SMS messages that the victim sends or receives.2 |
| mobile | T1409 | Stored Application Data | Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.2 |
| mobile | T1426 | System Information Discovery | Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.2 |
| mobile | T1421 | System Network Connections Discovery | Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.2 |
References
-
Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016. ↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024. ↩↩
-
Scott-Railton, J., et al. (2022, April 18). Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru. Retrieved April 18, 2024. ↩