Unpacking the Pegasus BlastPass Chain: A Forensic Deep Dive

TLDR: The Pegasus BlastPass exploit chain demonstrates how sophisticated actors leverage memory corruption in image processing to achieve zero-click code execution on iOS. By analyzing crash logs and decompressing nested payloads, researchers can identify malicious patterns like the abuse of NSKeyedArchiver and NSExpression. This post breaks down the forensic methodology required to uncover these hidden stages and provides actionable indicators for your next mobile assessment.

Mobile forensics often feels like a game of cat and mouse where the mouse has a multi-million dollar budget and a zero-day stockpile. The recent analysis of the Pegasus BlastPass exploit chain, which targeted high-value individuals via iMessage, is a masterclass in why we cannot rely on vendor-provided security boundaries alone. When you are staring at a compromised device, the standard toolset is rarely enough. You need to understand the underlying mechanics of how these payloads are staged, obfuscated, and executed.

The Anatomy of the BlastPass Chain

The core of the BlastPass attack relies on a zero-click delivery mechanism through iMessage, specifically targeting the way iOS handles image attachments. The exploit chain effectively weaponized a buffer overflow in the image rendering process, which eventually led to the execution of a malicious payload. This is not just a simple memory corruption bug; it is a multi-stage delivery system designed to evade detection at every layer.

The initial infection vector utilized a PassKit attachment. For those of us performing mobile penetration tests, this is a critical area to monitor. PassKit files are essentially ZIP archives containing JSON metadata and images. The attackers used this format to hide their malicious payload in plain sight. By embedding a WebP file that triggered a vulnerability in the image processing library, they achieved initial code execution. This vulnerability, tracked as CVE-2023-4863, highlights the danger of parsing complex image formats in privileged processes.

Forensic Methodology: From Crash Logs to Payloads

When you encounter a device that exhibits suspicious behavior, the first step is always the crash logs. In the case of BlastPass, the homed and MessagesBlastDoorService processes were crashing repeatedly. This is a massive red flag. If a system service is failing, it is often because an exploit is attempting to stabilize its environment or failing to bypass a security control.

Once you have identified the crash logs, the next step is to pull the iTunes backup and run it through the Mobile Verification Toolkit (MVT). MVT is the industry standard for this kind of work because it automates the extraction of artifacts that are otherwise buried in the file system.

The real work begins when you start digging into the extracted files. The attackers used NSKeyedArchiver for serialization, which is a common pattern in iOS malware. This allows them to store complex object graphs in a binary format that is not immediately human-readable. To inspect these, you need to use plistbuddy or plutil to convert the binary plists into a readable format.

# Convert binary plist to XML for inspection
plutil -convert xml1 -o output.plist input.plist

# Use plistbuddy to extract specific keys
/usr/libexec/plistbuddy -c "Print" input.plist

Deobfuscating the Payload

The most fascinating part of this research is the deobfuscation process. The attackers used NSExpression to execute logic within the iOS environment. NSExpression is a powerful class that allows for the evaluation of predicates and expressions, which can be abused to perform function calls and manipulate data.

When you see a payload that is heavily obfuscated with base64 encoding and multiple layers of compression, do not just try to decode it once and hope for the best. You are likely looking at a nested structure. The research showed that the payload was compressed and then base64 encoded multiple times. You need to peel back these layers one by one.

If you are stuck, do not hesitate to use large language models to help translate obfuscated code. While they are not a replacement for manual analysis, they are excellent at identifying patterns in Objective-C or Swift code that you might have missed. In this case, the model was able to identify the NSExpression structure and help map out the function calls, which saved hours of manual reverse engineering.

Real-World Applicability for Pentesters

If you are conducting a mobile application security assessment, you should be looking for these same patterns. Are your applications using NSKeyedArchiver to store sensitive data? Are you properly validating the inputs to your image processing libraries? If you are using third-party libraries to handle media, you are inheriting their vulnerabilities.

During an engagement, look for processes that are making unexpected network calls or writing to /private/var/tmp. These are classic indicators of a staged payload. If you find a file that looks like a standard image but has a massive file size, run file and strings on it immediately. If it is a WebP file or a binary plist masquerading as a PNG, you have found your smoking gun.

Defensive Considerations

Defenders need to focus on visibility. You cannot stop what you cannot see. Ensure that your mobile device management (MDM) solutions are configured to log process crashes and monitor for unauthorized file system modifications. While you cannot patch every zero-day, you can significantly increase the cost of an attack by implementing strict sandboxing and minimizing the attack surface of your media processing services.

The cat and mouse game is far from over. As we move toward more secure architectures, attackers will continue to find creative ways to exploit the complexity of the operating system. Keep your tools updated, keep your analysis manual, and never trust the file extension. The next time you see a crash in a system service, treat it as a potential entry point for a much larger, more dangerous chain.