Hi,

I found this repository from the Wikipedia article on Pegasus.

Could you direct where to look for aid if experiencing brazen and advanced device compromise of unknown nature?

Thank you. I am in the USA myself.

This repository has no LICENSE file.
What are the IOCs licensed under?

I would like to add them to my FOSS real-time malware scanner app, Hypatia:
https://github.com/divested-mobile/hypatia

Reposted by https://twitter.com/haxrob

The Chinese APT contractor leak contained a few interesting files; namely:

• CDRs (Call Detail Records)
• LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

https://twitter.com/haxrob/status/1759741145591214435

I'm assuming instances of com.apple.CrashReporter.plist in isolation isn't something to be too concerned about (using mtv-project and pegasus.stix2 indicators). Is it worth highlighting this in the output?

2013-11-24 07:45:56.000000,Manifest,M--B,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain
2019-08-12 18:21:19.000000,Manifest,--C-,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain

I use pihole to filter dns requests on my network & I was wondering if it was possible to publish a publicly available maintained list of all the domains discovered across all published investigations.
Currently I pull the domain lists using the raw.githubusercontent link to each domain.txt file in every repository which works, but it would be convenient to only have to use one list containing all discovered domains that was periodically updated as new investigations were published.

Thank you for the consideration!

Would you mind adding an indication how to pass the stix file to MVT command ?
It's not clear from MVT documentation how to do so.

Hi! I am a web developer and I need your help for a domain exclusion from you investigation domains list.

I found this project because an issue with a client's website that was blocked by ESET antivirus. Why? Because, they say that until my client's domain (posta.news) is on the list, they will not be able to white list that domain.

I have made a lot of changes, cleaning and scans; my client's website is clean, it is a simple news wordpress website; maybe some day in the past was dirty but it was not our intention. By the way, if you see and can provide me more info about where or what is in our website code, please let me know.

We really need your help, thanks in advance!

Regards!

Hi, is there a chance to list not only the process names but the full path of them? That'd allow the detection of pegasus on running devices.

Thanks!

Hello Team:

I'm using the command (Mac Terminal)
mvt-ios check-backup -o /Output -i /pegasus.stix2 /Backup

and I'm receive this error. Is possible to help? After the command my output folder is empty.

Just by a suggestion if you can better detail the process and expected information of "Records extracted"
My Error:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte

Traceback (most recent call last):
File "/usr/local/bin/mvt-ios", line 8, in
sys.exit(cli())
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1062, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 763, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/mvt/ios/cli.py", line 86, in check_backup
indicators = Indicators(iocs)
File "/usr/local/lib/python3.9/site-packages/mvt/common/indicators.py", line 19, in init
self.data = json.load(handle)
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte

I use the following to generate a complete ad-block list from this amazing repository.

1. Clone the repo
2. cd investigations
3. cat */*domains.txt | sort | uniq | tee amensty_nso_domain_list.txt

Now you can add amensty_nso_domain_list.txt to your trusted ad-blocker.

On a sidenote, we should possibly run this on every commit, so the request to the Amnesty team would be to see if this can configure as a job to keep either this/other repo updated with the latest list always ?

For Pegasus detection (pegasus.stix2) the scan considers the mere presence of Library/Preferences/com.apple.CrashReporter.plist to be an indication of infection. This raises a false flag on any iPhone used for normal iOS development. You're looking for

	<key>ShouldSubmit</key>
	<false/>

in the contents of that file as a more accurate indicator of Pegasus infection. If the above is

	<key>ShouldSubmit</key>
	<true/>  

that is normal for any iOS developer's iPhone.

Hi,

The hash a890c88b6c64371242b4047830b9189b4546536c6b11576d0738f0ba1840ade is 63 character long, it's missing one character for a SHA256 hash.

Could you please fix it?

Thank you,
Ariel

Hey devs,

Amazing work with the repo. Provides a first step release to many of us.

I was wondering if you could also commit the SHA-SUM of the domain and email list for us to verify the state of the repo downloaded. Just adds another layer of verification for some of us.