- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
New Tool Identifies Pegasus and Other iOS Spyware
Kaspersky’s Global Research and Analysis Team (GReAT) has unveiled a new, lightweight method to detect sophisticated iOS spyware, including notorious threats like Pegasus, Reign and Predator.
Writing in an advisory published today, the researchers said they focused on analyzing the previously overlooked forensic artifact, Shutdown.log, which is stored within the sysdiagnose archive of iOS devices and retains information from each reboot session.
Anomalies associated with Pegasus became apparent during the reboot. Instances of “sticky” processes hindering reboots, particularly those linked to Pegasus, were identified. They were then corroborated by observations from the broader cybersecurity community.
Further analysis of Pegasus infections in Shutdown.log revealed a common infection path, “/private/var/db/,” resembling paths seen in infections caused by Reign and Predator. Kaspersky researchers suggested that this log file holds the potential for identifying infections related to these malware families.
“Having received the infection indicator in this log and confirmed the infection using Mobile Verification Toolkit (MVT) processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating iOS malware infection,” explained Maher Yamout, lead security researcher at Kaspersky’s GReAT.
“Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis.”
To empower users in the fight against iOS spyware, Kaspersky experts have also developed a self-check utility shared on GitHub. This Python3 script facilitates the extraction, analysis and parsing of the Shutdown.log artifact, catering to macOS, Windows and Linux users.
More generally, and in light of the increasing sophistication of iOS spyware, Kaspersky recommended several measures to safeguard against potential attacks.
These include daily reboots to disrupt potential infections, utilizing Apple’s lockdown mode and disabling iMessage and FaceTime. Also, to update iOS promptly to install the latest patches, exercise caution with links and regularly check backups and sys diagnose archives.
