You Shall Not PASS - Analysing a NSO iOS Spyware Sample

Dive into the technical analysis of NSO's Pegasus spyware PKPass exploit chain targeting iOS. Learn attack patterns, forensics techniques & detection methods for iOS malware.

Key takeaways
  • NSO’s Pegasus spyware used a PKPass file delivered via iMessage to execute a zero-click exploit chain targeting iOS devices

  • Key indicators of compromise include:

    • Repeated Message Blasterd service crashes
    • IMTransferAgent process downloading suspicious iMessage attachments
    • Files with .png extensions that are actually WebP files
    • PKPass files containing suspicious “function” string patterns
    • Presence of repeating ‘A’ characters in payloads
    • Files written to /private/var/tmp
  • The attack chain involved multiple layers of:

    • Base64 encoding
    • Compression
    • NSKeyedArchiver serialization
    • NSExpression execution
  • The exploit bypassed iOS 15.1 mitigations by manipulating memory flags to re-enable restricted class execution

  • Forensic analysis tools used:

    • Mobile Verification Toolkit (MVT) for iTunes backup analysis
    • Custom Python scripts for decompression/decoding
    • Manual crash log analysis
  • The sample showed modular design with separate configuration, payload delivery and execution phases

  • The exploit chain specifically targeted iPhones but showed no evidence of iPad targeting

  • Mercenary spyware vendors tend to reuse complex exploitation frameworks rather than burn new zero-days

  • iOS forensic investigation is effective but needs more scale and automation

  • Regular forensic analysis of devices helps detect sophisticated attacks that bypass security controls