January 17, 2024 at 06:03AM
Cybersecurity researchers have developed a “lightweight method” called iShutdown to detect spyware on Apple iOS devices, including threats like NSO Group’s Pegasus and QuaDream’s Reign. The method involves analyzing the “Shutdown.log” file, which records reboot events and environment characteristics, and has been found to be a reliable forensic artifact for detecting anomalous log entries.
Key takeaways from the meeting notes:
– A “lightweight method” called iShutdown has been identified for detecting spyware on Apple iOS devices, including NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.
– Kaspersky analyzed compromised iPhones with Pegasus and found traces in a file named “Shutdown.log,” which records reboot events and environment characteristics.
– Retrieving the Shutdown.log file is a straightforward method compared to more time-consuming acquisition methods.
– The log file is stored in a sysdiagnose (sysdiag) archive and can reveal instances of spyware-related processes causing reboot delays.
– A similar filesystem path is used by all three spyware families, which acts as an indicator of compromise.
– The success of this approach is dependent on the target user rebooting their device frequently.
– Kaspersky has published Python scripts to extract, analyze, and parse the Shutdown.log for reboot stats.
– This method is lightweight, readily available, and the log file can store entries for several years, making it valuable for analyzing and identifying anomalous log entries.
Additionally, SentinelOne has revealed that information stealers targeting macOS are adapting to circumvent Apple’s built-in antivirus technology, XProtect, and that signature-based detection alone is insufficient.
Feel free to provide any additional information or clarifications needed.