Woburn, MA – January 16, 2024 — Kaspersky today shares that its Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as Pegasus, Reign, and Predator through analyzing Shutdown.log, a previously unexplored forensic artifact.
The company’s experts discovered Pegasus
infections leave traces in the unexpected system log, Shutdown.log, stored
within any mobile iOS device’s sysdiagnose archive. This archive retains
information from each reboot session, meaning anomalies associated with the
Pegasus malware become apparent in the log if an infected user reboots their device.
Among those identified were instances of “sticky” processes impeding reboots,
particularly those linked to Pegasus, along with infection traces discovered
through cybersecurity community observations.
“The sysdiag dump analysis proves to be minimally intrusive and resource-light, relying on system-based artifacts to identify potential iPhone infections. Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT’s) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” comments Maher Yamout, lead security researcher at Kaspersky’s GReAT. “Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis.”
Analyzing the Shutdown.log in Pegasus infections, Kaspersky experts observed a common infection path, specifically “/private/var/db/”, mirroring paths seen in infections caused by other iOS malware like Reign and Predator. The company’s researchers suggest this log file holds potential for identifying infections related to these malware families.
To ease the search for spyware infections, Kaspersky experts developed a self-check utility for users. The Python3 scripts facilitate the extraction, analysis, and parsing of the Shutdown.log artifact. The tool is publicly shared on GitHub and available for macOS, Windows and Linux.
iOS spyware, such as Pegasus, is highly sophisticated. While the cyber community may not always prevent successful exploitation, users can take steps to make it challenging for attackers. To safeguard against advanced spyware on iOS, Kaspersky experts recommend the following:
By incorporating these practices into their routine, users can fortify their defenses against advanced iOS spyware and reduce the risk of successful attacks.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812