Forensics Analysis of the NSO Group’s Pegasus Spyware

NSO’s Group Pegasus spyware was mentioned multiple times during 2021 in the media. It has been heavily analyzed by organizations such as Amnesty International [1] and the University of Toronto’s Citizen Lab [2] [3] [4] [5].

The targets included journalists from Azerbaijan, France, Hungary, India, French human rights lawyers, French human rights activists, Rwandan activists, and Indian human rights activists. Citizen Lab also identified Bahraini activists, New York Times Journalist Ben Hubbard, and Palestinian human rights defenders as victims.

The Pegasus spyware has been distributed via one-click attacks (the target needs to click on a malicious link received via SMS messages, WhatsApp, etc.) and zero-click attacks (no interaction needed). Some of the recently used 0-day exploits developed by NSO Group include KISMET and FORCEDENTRY (also called Megalodon). It’s important to mention that Apple patched all the vulnerabilities submitted regarding these attacks, and it’s crucial to update your iOS devices regularly.

The FORCEDENTRY exploit has been analyzed by Google [6] and TrendMicro [7]. It has been attributed a CVE identifier of CVE-2021-30860 and represents a vulnerability in the CoreGraphics PDF parser. It is an integer overflow vulnerability which leads to out-of-bounds write. The crashing point inside the function JBIG2Stream::readTextRegionSeg is displayed below:

Source: TrendMicro

The Google Project Zero team performed a deep dive into the exploit and explained that the attackers could define a small computer architecture with registers and a 64-bit adder and comparator. It is computationally equivalent to JavaScript, and the team concluded that this is one of the most technically sophisticated exploits they’ve ever analyzed.

LIFARS team analyzed a suspected infection with Pegasus using the Mobile Verification Toolkit released by the Amnesty International Security Lab [8]. We’ve also used the NSO Group Pegasus IOCs (domains, iCloud accounts, files, process names) in our investigation [9].

We were able to identify six Pegasus processes that ran on the victim’s iPhone. The infection occurred on February 1st, which coincided with when the NSO group deployed the FORCEDENTRY iMessage Zero-Click mentioned by the CitizenLab in their report [3].


Wifi In (MB)Wifi Out (MB)Wan In (MB)Wan Out (MB)Timestamp (UTC)Process Name
1.65540.178541002/1/2021 13:02:30wifip2ppd
0.0070.0019002/1/2021 13:02:31ABSCarryLog
29.866199.86871.27491.04642/1/2021 13:03:00misbrigd
1.65480.1939002/11/2021 23:31:38cfprefssd
0.0070.0019002/11/2021 23:31:38gssdp
75.696758.86127.62844.992/11/2021 23:32:04libbmanaged


As shown in the table above, two processes performed data exfiltration. The libbmanaged process was running for over a week, based on a record from the DataUsage.sqlite database:


Wifi In (MB)Wifi Out (MB)Wan In (MB)Wan Out (MB)Timestamp (UTC)Process Name
007.995.072/19/2021 1:16:18libbmanaged


Before the malicious processes ran, we’ve identified the following process related to iMessage processing:


Wifi In (MB)Wifi Out (MB)Wan In (MB)Wan Out (MB)Timestamp (UTC)Process Name
0015.08950.40872/1/2021 12:52:55IMTransferAgent


The file “/private/var/mobile/Library/Preferences/” used by Amnesty International’s Security Lab to extract the suspicious iMessage account lookups is missing in our case. The netusage.sqlite SQLite database is also missing, and we couldn’t extract records from the Cache.db databases because we couldn’t jailbreak the device.

The Pegasus spyware remains an active threat even if the NSO Group has been sanctioned by the United States. We recommend rebooting your iPhone daily in order to remove non-persistent malware.