Kaspersky shares that its Global Research and Analysis
Team (GReAT) has developed a lightweight method to detect indicators of
infection from sophisticated iOS spyware such as Pegasus, Reign,
and Predator through
analyzing Shutdown.log, a previously unexplored forensic artifact.
The company's experts discovered Pegasus infections leave
traces in the unexpected system log, Shutdown.log, stored within any mobile iOS
device's sysdiagnose archive. This archive retains information from each reboot
session, meaning anomalies associated with the Pegasus malware become apparent
in the log if an infected user reboots their device.
Among those identified were instances of "sticky" processes impeding reboots,
particularly those linked to Pegasus, along with infection traces discovered
through cybersecurity community observations.
"The sysdiag dump analysis proves to be minimally
intrusive and resource-light, relying on system-based artifacts to identify
potential iPhone infections. Having received the infection indicator in
this log and confirmed the infection using Mobile Verification Toolkit (MVT's)
processing of other iOS artifacts, this log now becomes part of a holistic
approach to investigating iOS malware infection," comments Maher
Yamout, lead security researcher at Kaspersky's GReAT. "Since we
confirmed the consistency of this behavior with the other Pegasus infections we
analyzed, we believe it will serve as a reliable forensic artifact to support
infection analysis."
Analyzing the Shutdown.log in Pegasus infections, Kaspersky
experts observed a common infection path, specifically "/private/var/db/",
mirroring paths seen in
infections caused by other iOS malware like Reign and Predator. The company's
researchers suggest this log file holds potential for identifying infections
related to these malware families.
To ease the search for spyware infections, Kaspersky experts
developed a self-check utility for
users. The Python3
scripts facilitate the extraction, analysis, and parsing of the
Shutdown.log artifact. The tool is publicly shared on GitHub and available
for macOS, Windows and Linux.
iOS spyware, such as Pegasus, is highly sophisticated. While
the cyber community may not always prevent successful exploitation, users can
take steps to make it challenging for attackers. To safeguard against advanced
spyware on iOS, Kaspersky experts recommend the following:
- Reboot Daily: According to
research from Amnesty International and Citizen Lab, Pegasus often relies
on zero-click 0-days with no persistence. Regular daily reboots can help
clean the device, making it necessary for attackers to repeatedly
reinfect, thereby increasing the chances of detection over time.
- Lockdown Mode: There has been several
public reports on the success of Apple's newly added lockdown mode in
blocking iOS malware infection.
- Disable iMessage and
Facetime:
iMessage, enabled by default, is an attractive exploitation vector.
Disabling it reduces the risk of falling victim to zero-click chains. The
same advice applies to Facetime, another potential vector for
exploitation.
- Keep Device Updated: Install the latest
iOS patches promptly, as many iOS exploit kits target already patched
vulnerabilities. Swift updates are crucial for staying ahead of some
nation-state attackers who may exploit delayed updates.
- Exercise Caution with
Links: Avoid
clicking on links received in messages, as Pegasus customers may resort to
1-click exploits delivered through SMS, other messengers, or email.
- Check Backups and
Sysdiags Regularly: Processing
encrypted backups and Sysdiagnose archives using MVT and Kaspersky's tools can help in
detecting iOS malware.
By incorporating these practices into their routine, users
can fortify their defenses against advanced iOS spyware and reduce the risk of
successful attacks.